I’m currently setting up a new system for a client and wanted to add all users in a specific Organisational Unit (OU) to a specific Security Group.
I’ve written about Get-ADUser a few times before, so by combining that with another PowerShell cmdlet Add-ADGroupMember to add users to a group we should be in business!
In this example we’ll add users in the OU Head Office to the SSLVPN Users Security Group.
Right, on with a quick tutorial of Get-ADUser.The following screenshots are taken from my Windows Server 2012 R2 demo lab.
Lets start off with Get-ADUser -filter *
This will return all the users in the domain. Let’s make it a little more readable so we can see the users we want to add to a group.
Try Get-ADuser -FIlter * | ft Name, DistinguishedName -Autosize
We can see we have a few users in the OU Head Office, but the command is still returning other users as well. So let’s modify it to return only users in the Head Office OU.
We can use -SearchBase to specify and Active Directory path to search under.
Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ft Name, DistinguishedName -Autosize
Ok, so we can select the specific users in an OU. Now we have to add these to the SSLVPN Users Security Group.
The cmdlet to add user to a group is Add-ADGroupMember, we can find this out by using the Get-Command cmdlet or its abreviation GCM.
Get-Command *Group*
Will return all cmdlets with Group in their name.
We can then use Get-Help Add-ADGroupMember to view the cmdlet in more detail.
We can see the two parameters we need to use with the command is Indentity, which specifies the group we want to add members to, and Members, which specifices the users we want to add.
So as out Get-ADUser cmdlet gives us the users, lets try and pipe it into the Add-ADGroupMember cmdlet.
Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | Add-ADGroupMember -Identity ‘SSLVPN Users’
The Add-ADGroupMember cmdlet is stil requesting Members, so it seems it doesn’t accept the list we have outputted using Get-ADUser.
We still have options though, we can try the ForEach-Object cmldet and see if this helps us out.
ForEach-Object performs an action against each item in a collection of objects. In our case we want to use it to add each user in the list of users to a group. If we combine it with the $_ variable, which acts as a placeholder for the current object we should be on the right track. We can use -WhatIf to see what would happen if the command runs without making any changes until we get it correct.
Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_ -WhatIf}
So we can see from above we have six outputs where a set is performed on the SSLVPN Users group. So I think we have cracked it!
Now lets run the command without -WhatIf.
Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_ }
No errors are returned which is a good start!, Now let’s check the SSL VPN Users security group in ADUC first before the command is run.
And then after the command has been run.
So our final PowerShell command to add users in an OU to a Security Group is:
Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_ }
References:
Get-ADUser http://technet.microsoft.com/en-us/library/ee617241.aspx
Add-ADGroupMember https://technet.microsoft.com/en-gb/library/ee617210.aspx
ForEach-Object https://technet.microsoft.com/en-us/library/hh849731.aspx
PowerShell Variables: http://www.computerperformance.co.uk/powershell/powershell_variables.htm
TechNet Magazine: https://technet.microsoft.com/en-us/magazine/ee677578.aspx
Related Posts:
1. PowerShell: Get-ADComputer to retrieve computer last logon date – part 1
2. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 2
3. PowerShell: Get-ADUser to retrieve password last set and expiry information
4. PowerShell: Get-ADUser to retrieve disabled user accounts
If you found this post useful please Share, Like or leave a comment! Thanks, Carl.
Thank you for the great information.
What would the syntax be to add the users to multiple groups?
Thanks
A little late (only a year! Psh!), but it could look like something like this:
Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {
Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_
Add-ADGroupMember -Identity ‘A Second Group’ -Members $_
}
super helpful – now if I could figure out how to add on prem AD users to a 365 security group in a hybrid setup scenario!
Thanks Man. Great post! I was missing the iterator, and your instructions helped me figure it out.
How would i schedule this script to run and add logging to this?
Very useful. Great Explanation. Thanks a lot!
Very helpful! Thanks a lot
Great page, useful and clearly written. Thanks
Very nice work.
I have a challenge and wanted to know before I dive in if it is even possible.
I wanted to have powershell scan AD, and automagically create a new Security Group names on the OU and then add all users in that OU to that security group…
—mydomain.com
—-Accounting
——-Joe Blow
——-Mo Blow
—-IT
—— Mike Rawks
——-Dave IT4Life
—-Developers
——- Steve Coder
——- Nick DevOps God
So powershell would scan down via the OU to Accounting, create a security group called Accounting and then auto add any user found below that into Accounting security group..
Is this even possible?
I expect it is possible, have a go and post the code for how far you get and if you get stuck I’ll try and take a look.
Cheers,
Carl
Love the code, any chance you have a follow up which would check if users are still in that OU, and if not remove them from the group?
great, can it check if user is already in the group and skip to next