I have figured out how to add active directory groups to a user using the following command
Add-ADGroupMember -Identity "Group Name" -Members "UserName"
Is there a way to add multiple groups to a user or multiple users to a group? I have tried comma separating the users and groups but it doesn't seem to work.
get-aduser username | Add-ADPrincipalGroupMembership -MemberOf "group1","group2"
Related
We have 3 Domains connected through a trust, and I need to remove a user from multiple groups, including some that are in those other Domains.
I can see all groups through the command:
(Get-ADGroup -Server $Domain -Filter *).SamAccountName
Receiving this information in a variable, where I make a FOREACH, to use in each group, the command:
Remove-ADGroupMember -Server $Domain -Identity "$group" -Members $User -Confirm:$false -Credential $Credential
But this does not work for when I need to remove a user who belongs to another domain.
I tried to pass the user with parameters like:
B\User
User ObjectGUID
User SID
But it does not work.
How do I remove a user belonging to domain B from a domain group A?
Remembering that there is a relationship of trust between them.
I'm trying to remove all computers from the wk_test security group and then add all the computers in the default 'Computers' container in AD to the (now-empty) wk_test security group.
However, I don't want to export the computers to a list and then import them back into the security group.
I have the first part of the script working properly, and it removes the computers from the wk_test group with no errors. My issue is adding the computers to the wk_test group from the "computers" container.
Remove-ADGroupMember "wk_test" -Members (Get-ADGroupMember "wk_test") -Confirm:$false
Add-ADGroupMember -Identity "wk_test" -Members (Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org") -filter*
I think the main problem is that I am attempting to copy from the computers container. Most of the advice on the internet refers to copying from an OU and not a container.
The Add-ADGroupMember documentation says:
You cannot pass user, computer, or group objects through the pipeline to this cmdlet.
Which I think is what you are trying to do.
I've used this method before to add computers from an OU to a group:
Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org" -Filter * | foreach {Add-ADGroupMember "wk_test" -Members $_.DistinguishedName }
But I think you could also modify your code like this, but I've not tested this as I'm not on domain at the moment.
$Computers = Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org" -filter* | select -ExpandProperty DistinguishedName
Add-ADGroupMember -Identity "wk_test" -Members $Computers
If you are moving them, why not use Move-ADObject.
So it would be:
Get-ADGroupMember "wk_test" | Move-ADObject -TargetPath <ou path>
I can't seem to display groups of an active directory security group. I use the command
get-adgroupmember $group -server $serverName.
It doesn't return an error. It just returns empty results.
So i tried the command
get-adgroup $group -server $serverName -properties memberof
The memberof section is blank.
The one thing that stands out about this security group is that they were originally from another forest. We converted them over to the new forest with sidhistory in place.
The groups show up in "active directory for user and computers" gui. Any thoughts?
Group members added as external contacts , will always escape from get-adgroupmember .
Antidot is
get-adgroup "groupname" -properties member | select -expand member | get-adobject
you are missing the -Identity
get-adgroupmember -Identity $group -Server $serverName | Select SamAccountName
I'm building a script to automate AD deployments for customers. We have a prepared list of users and groups in CSV files. The groups are organized in a file with the following format. Keep in mind that I'm using the same CSV file to create the AD groups (which happens in a previous step).
Name,Description,Members
GroupName,GroupDescription,"user1,user2,user3"
The code I'm using to add the users to the groups is below:
$groups = Import-CSV -Path $groupCSVPath
$groups | % { Add-ADGroupMember -Identity $_.Name -Members $_.Members }
This results in an error: Get-ADUser : Cannot find an object with identity: 'user1,user2,user3'.
If I attempt the following, it works:
Add-ADGroupMember -Identity "GroupName" -Members user1,user2,user3
The error appears to reference the Get-ADUser command, which does not accept arrays as inputs. However, the Add-ADGroupMember command does. Why am I getting the Get-ADUser error when using the Add-ADGroupMember command and how can I get it to accept an array of values for the AD Username?
Tricky one. The problem turned out to be that the $_.members parameter is being passed to the Add-ADGroupMember cmdlet as a single string rather than an array of separate values, because of the way Import-CSV works. Get-Help Add-ADGroupMember shows that the members parameter expects an array, not a string.
This should work, I've tested it:
$groups | % { Add-ADGroupMember -Identity $_.Name -Members $_.members.split(',') }
I have the following line of code in a PowerShell file, intended to remove a user from all Active Directory groups beginning with an # symbol;
Get-ADGroup -Filter 'name -like "#*"' | Remove-ADGroupMember -Members $UserID
It actually works fine, and successfully removes them from the correct groups, however the script locks my admin account every time it's run. Weird!
From trawling the internet for a while, I suspect it's something to do with it 'using up' my Kerberos authentication tokens (it uses too many, as it runs for every single AD group beginning with #), or it thinks I'm trying to do something malicious because I'm sending such a large amount of commands in a short time?
Is there a way for me to amend this line of code, so that instead of running Remove-ADGroupMember for every single # group in the Active Directory, it only runs for the groups that the user is a member of? Or any other ideas?
Thank you.
Try this:
$groups = Get-ADPrincipalGroupMembership $user | where {$_.name -like "#*"} | select -expandproperty name
foreach($group in $groups){
Remove-ADGroupMember -identity $group -Members $user
}
It will only looking for the groups that the $user is a member in so you should be fine token wise.
Don't forget to change $user with user name or fill the variable beforehand.
Hmm, I don't have an AD infrastructure at home, but it looks like your example has nothing defining $UserID.