Today I picked up a request from an owner of a shared drive asking for a list of her colleagues to be given access to the drive. This required finding the right group in Active Directory and making each person a member of the group.
With a total of 25 people in the list I knocked up a PowerShell script to make things a little easier for myself. The idea was to import a list of login id’s (samAccountNames) from a CSV file and add them to the required group programmatically.
I started with a simple CSV file in Excel as below:
And the script itself is only a few lines of code:
# Import active directory module for running AD cmdlets Import-module ActiveDirectory #Store the data from UserList.csv in the $List variable $List = Import-CSV .\UserList.csv #Loop through user in the CSV ForEach ($User in $List) { #Add the user to the TestGroup1 group in AD Add-ADGroupMember -Identity TestGroup1 -Member $User.username }
It was only after I tried running the script that I realised that PowerShell wasn’t installed on that particular server. The principle of “Least Privilege” came to mind and I thought it’s probably for the best for security purposes.
So in the end I added the users to the group in batches of 5 by separating the samAccountNames using simicolons as shown below:
Having wrote the script I didn’t want it to go to waste hence this post :)
PS. I tested the script in my own lab at home and it works just fine
Follow Me, Myself and IT on Twitter:
Follow @emeneye
This may actually come in useful for me.. Cheers!
Wow! Didn’t know you still visited my blog. Thanks for commenting.
I’m actually working to improve this to check if the user accounts exists in AD first and then report this in a log file.
do you have the enhanced script?
Sorry, mate, never did get round to finishing it
# Error Get-ADGroupMember : Cannot find an object with identity: ‘ROLE’ under: ‘DC=xxxxx,DC=net’.
using
#if (Get-ADGroup -Identity $GroupAD)
OK using
if (Get-ADGroup -Identity $GroupAD -Server $ServerAD)
Environment: 2 domains.. ADForest
I get an error that it can’t find the user.
Add-ADGroupMember : Cannot find an object with identity: ‘jdoe ‘ under: ‘DC=XXXX,DC=local’.
My users are in a non-standard OU a few levels deep. Is there something I need to do in order to tell the script where they are? My CSV is constructed like yours–Username and then a list of the samaccount names.
Sounds like you’re possibly passing jdoe as the name of the group – make sure you don’t have the name of the group and usernames the wrong way around.
Add-ADGroupMember -Identity ENTER-GROUP-NAME-HERE -Member $User.username
Enter the name of the security group after -identity
Thank you! Worked perfectly
I can’t even get this to work. For one -Member isn’t relevant, it should be -Members but I can’t tell where .username is supposed to come from.
Thanks . Have added a bulk of users in a security group
Try this it works perfect:
$grp = ‘GIT_GS_AMU_Windows7_Object ‘
Import-Module ActiveDirectory
$comps=Get-Content names.txt
$grpDN = (get-adgroup $grp).distinguishedname
foreach ($comp in $comps)
{$dns=get-aduser $comp
$b=$dns.distinguishedname
Add-ADGroupMember -Identity $grpDN -member $dns
}
THANKYOU .IT WORKED !
Nice! Thank you, this made my current task a lot easier. And if you want to Remove a list of users from the same group, I found that the following works a treat as well:
#Import active directory module for running AD cmdlets
Import-module ActiveDirectory
#Store the data from user.csv in the $List variable
$List = Import-CSV .\user.csv
#Loop through user in the CSV
ForEach ($User in $List)
{
#Remove the user to the SecurityGroup group in AD
Remove-ADGroupMember -Identity SecurityGroup -Member $User.username -Confirm:$false
}
The “-Confirm:$false” will prevent the script from prompting you to confirm each time it goes to remove a user, very useful when dealing with a very large list of user accounts.
I came here looking for a solution. I had all the member’s emails in an Excel doc column. I ended up copying and pasting them into a text application, then added “; ” between each member. I then copy and pasted the whole string into ADUC, into the group’s “Enter the object names to select” field, then selected the “Check Names” button and it worked.
Thank You it is useful for me