PowerShell: How to add all users in an OU to a Security Group using Get-ADUser and Add-ADGroupMember

PowerShellI’m currently setting up a new system for a client and wanted to add all users in a specific Organisational Unit (OU) to a specific Security Group.

I’ve written about Get-ADUser a few times before, so by combining that with another PowerShell cmdlet Add-ADGroupMember to add users to a group we should be in business!

In this example we’ll add users in the OU Head Office to the SSLVPN Users Security Group.

Right, on with a quick tutorial of Get-ADUser.The following screenshots are taken from my Windows Server 2012 R2 demo lab.

Lets start off with Get-ADUser -filter *

Get-ADUser -Filter starThis will return all the users in the domain.  Let’s make it a little more readable so we can see the users we want to add to a group.

Try Get-ADuser -FIlter * | ft Name, DistinguishedName -Autosize

Get-ADUser -Filter star ft name distinguishedname autosizeWe can see we have a few users in the OU Head Office, but the command is still returning other users as well. So let’s modify it to return only users in the Head Office OU.

We can use -SearchBase to specify and Active Directory path to search under.

Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ft Name, DistinguishedName -Autosize

Get-ADUser -SearchBase -Filter star ft name distinguishedname autosize

Ok, so we can select the specific users in an OU. Now we have to add these to the SSLVPN Users Security Group.

The cmdlet to add user to a group is Add-ADGroupMember, we can find this out by using the Get-Command cmdlet or its abreviation GCM.

Get-Command *Group*

Will return all cmdlets with Group in their name.

Get-Command or GCM

We can then use Get-Help Add-ADGroupMember to view the cmdlet in more detail.

Get-Help Add-ADGroupMember

We can see the two parameters we need to use with the command is Indentity, which specifies the group we want to add members to, and Members, which specifices the users we want to add.

So as out Get-ADUser cmdlet gives us the users, lets try and pipe it into the Add-ADGroupMember cmdlet.

Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | Add-ADGroupMember -Identity ‘SSLVPN Users’

Get-ADUser -searchbase -Filter star pipe Add-ADGroupMember -IdentitiyThe Add-ADGroupMember cmdlet is stil requesting Members, so it seems it doesn’t accept the list we have outputted using Get-ADUser.

We still have options though, we can try the ForEach-Object cmldet and see if this helps us out.

ForEach-Object performs an action against each item in a collection of objects. In our case we want to use it to add each user in the list of users to a group. If we combine it with the $_ variable, which acts as a placeholder for the current object we should be on the right track. We can use -WhatIf to see what would happen if the command runs without making any changes until we get it correct.

Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_ -WhatIf}

Get-ADUser -searchbase -Filter star pipe ForEach-Object Add-ADGroupMember -Identitiy -Members -whatifSo we can see from above we have six outputs where a set is performed on the SSLVPN Users group. So I think we have cracked it!

Now lets run the command without -WhatIf.

Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_ }

Get-ADUser -searchbase -Filter star pipe ForEach-Object Add-ADGroupMember -Identitiy -MembersNo errors are returned which is a good start!, Now let’s check the SSL VPN Users security group in ADUC first before the command is run.

SSLVPN Users beforeAnd then after the command has been run.

SSLVPN Users after

So our final PowerShell command to add users in an OU to a Security Group is:

Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_ }


Get-ADUser http://technet.microsoft.com/en-us/library/ee617241.aspx

Add-ADGroupMember https://technet.microsoft.com/en-gb/library/ee617210.aspx

ForEach-Object https://technet.microsoft.com/en-us/library/hh849731.aspx

PowerShell Variables: http://www.computerperformance.co.uk/powershell/powershell_variables.htm

TechNet Magazine: https://technet.microsoft.com/en-us/magazine/ee677578.aspx

Related Posts:

1. PowerShell: Get-ADComputer to retrieve computer last logon date – part 1

2. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 2

3. PowerShell: Get-ADUser to retrieve password last set and expiry information

4. PowerShell: Get-ADUser to retrieve disabled user accounts

5. PowerShell: How to use Get-ADUser to list all recently created accounts (and recently changed accounts)

If you found this post useful please Share, Like or leave a comment! Thanks, Carl.

11 thoughts on “PowerShell: How to add all users in an OU to a Security Group using Get-ADUser and Add-ADGroupMember

  1. Rick Franz

    Thank you for the great information.

    What would the syntax be to add the users to multiple groups?


    1. Peter

      A little late (only a year! Psh!), but it could look like something like this:

      Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {
      Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_
      Add-ADGroupMember -Identity ‘A Second Group’ -Members $_

  2. AK

    super helpful – now if I could figure out how to add on prem AD users to a 365 security group in a hybrid setup scenario!

  3. Steve Wysocki

    Thanks Man. Great post! I was missing the iterator, and your instructions helped me figure it out.

  4. Matthew B

    Very nice work.

    I have a challenge and wanted to know before I dive in if it is even possible.

    I wanted to have powershell scan AD, and automagically create a new Security Group names on the OU and then add all users in that OU to that security group…

    ——-Joe Blow
    ——-Mo Blow
    —— Mike Rawks
    ——-Dave IT4Life
    ——- Steve Coder
    ——- Nick DevOps God

    So powershell would scan down via the OU to Accounting, create a security group called Accounting and then auto add any user found below that into Accounting security group..

    Is this even possible?

    1. OxfordSBSguy.com Post author

      I expect it is possible, have a go and post the code for how far you get and if you get stuck I’ll try and take a look.


  5. Brian

    Love the code, any chance you have a follow up which would check if users are still in that OU, and if not remove them from the group?

Comments are closed.