How to copy Office 365 group membership to another group? - powershell

I'm hoping there is a powershell command that can copy the group membership of an O365 group to a different O365 group. I got this from the web, but it's not working because my source group "is not a valid mailbox recipient."
Get-DistributionGroupMember -Identity "Source Group Name" |% {Add-DistributionGroupMember -Identity "Destination Group Name" -Member $_.PrimarySmtpAddress}

Try this:
$members = Get-DistributionGroupMember -Identity "Source Group Name"
Add-DistributionGroupMember -Identity "Destination Group Name" -Member $members
if that doesn't work:
$members = Get-DistributionGroupMember -Identity "Source Group Name"
foreach ($item in $members) {
Add-DistributionGroupMember -Identity "Destination Group Name" -member $item
}
All depends on if the -member parameter accepts an array or a single object. The documentation for the cmdlet is specific to exchange not OFfice 365 and could be a little dated. The documentation seems to indicate the -member parameter will not accept an array of objects so I suspect you'll have to use the 2nd approach.

This might be well known, but for those searching for this answer in the future, an Office 365 group is called a Unified Group in powershell. So I ended up figuring out how to do it with the below code:
$members = Get-UnifiedGroupLinks -Identity "Source O365 Group Name"
foreach ($item in $members) {
Add-UnifiedGroupLinks -Identity "Destination O365 Group Name" -LinkType Members -Links $item.primarysmtpaddress
}
Thanks for your help in constructing the code Zack A!

Related

Bulk Disable PowerShell Script Not Executing

I am kinda new to powershell and started a role in support. Working on a powershell script that will do the following things:
Disable a user account
Remove all AD Groups except for Domain Users
Edit the description
Move AD object to a disabled users OU
I think I can probalby change the "$TargetOU = OUPath" because the disabled users OU is never really going to change...if that's the issue then i'll feel like a dumby lol.
I am trying and failing to complete this! I don't know what is going wrong. Powershell isn't faulting out or anything it is just not executing?
Thank you for any help!
My code is here:
Import-Module ActiveDirectory
$TargetOU = "OU=DisabledUsers"
Import-Csv "C:temp\DisableTest.csv" | ForEach-Object {
$samAccountName = $_."samAccountName"
Get-AdPrincipalGroupMembership -Identity $samAccountName {Where-Object -Property Name -Ne -Value 'Domain Users' | Remove-AdGroupMember -Members $samAccountName}
Get-ADUser -Identity $samAccountName | Disable-ADAccount
Get-ADUser -Identity $samAccountName -Description "Disabled Per Request XXXX"
Move-ADObject -Identity $UserDN -TargetPath $TargetOU
}
Need it to do four things:
Disable a user account
Remove all AD Groups except for Domain Users
Edit the description
Move AD object to a disabled users OU
You have several issues:
$TargetOU = "OU=DisabledUsers"
This should be the full distinguished name, so something like OU=DisabledUsers,DC=example,DC=com
Get-AdPrincipalGroupMembership -Identity $samAccountName {Where-Object -Property Name -Ne -Value 'Domain Users' | Remove-AdGroupMember -Members $samAccountName}
The sytax here is messed up. You want to pipe (|) the results from Get-AdPrincipalGroupMembership into Where-Object, but you have braces ({). The closing brace at the end of the line is thus unnecessary. The Where-Object cmdlet also lets you simplify the syntax to something more readable, like Where Name -ne 'Domain Users'.
Get-ADUser -Identity $samAccountName -Description "Disabled Per Request XXXX"
This should be Set-ADUser, which is explains why this isn't changing anything.
Move-ADObject -Identity $UserDN -TargetPath $TargetOU
You haven't defined $UserDN, so it's not going to find the user. And as already mentioned , the target path should be the full distinguished name.
You're also looking up the account several times. Every time you pass just the username, it has to search for the account. As you have it, it would be searching for the account 5 times. You can avoid that (and speed things up) by calling Get-ADUser once and passing the result into each of the other commands.
And just for simplicity, you can omit -Identity since the first parameter is assumed to be the identity.
Putting everything together, it would look something like this:
Import-Module ActiveDirectory
$TargetOU = "OU=DisabledUsers,DC=example,DC=com" #Change this to the real value
Import-Csv "C:temp\DisableTest.csv" | ForEach-Object {
$user = Get-ADUser $_."samAccountName"
Get-AdPrincipalGroupMembership $user | Where Name -ne 'Domain Users' | Remove-AdGroupMember -Members $user
Disable-ADAccount $user
Set-ADUser $user -Description "Disabled Per Request XXXX"
Move-ADObject $user -TargetPath $TargetOU
}

Export all disabled DL members to CSV

I have an issue I've not been able to work through and I'm hoping I can get assistance. I've taken over management of 15,000+ AD user accounts and almost 1500 o365 distribution groups. I have been trying to build a command or script to query all distribution groups and export a list of user accounts that are members and do not have a mailbox.
I was able to get a working script that will find and remove them all however it is keying of disabled user accounts which would remove members that should not be. I only need group members removed that do not have a mailbox in o365. Ideally, I'd like to query the groups and export the list of group members without a mailbox to a CSV and include Name, AccountName and AccountDisabled. Any assistance would be appreciated.
Failed attempt:
$dg = Get-DistributionGroup
foreach($group in $dg){
Get-DistributionGroupMember -Identity $group.identity | ?{$_.recipienttype -eq 'UserMailbox'} |
foreach{
$mbx = Get-Mailbox $_.alias
if($_.name -eq $mbx.name -and $mbx.AccountDisabled -eq $true){
write-host "Removing User:" $_.alias "from group:" $group.identity
remove-distributiongroupmember -Identity $group.Identity -Member $_.alias -Confirm:$false
Write-Host "User Successfully Removed"
}
}
}
This is the command I found which will output the user and group name to the screen and remove the group member however it is keying off disabled AD User accounts and it's outputting it in a format that won't export to csv.
Thank you
Pat

Script to copy Exchange Distribution Groups from one user to another

I am hoping to get some help with a script to copy Exchange group permissions from one user to another. I currently have a script that works to copy mailbox permissions from one user to another but would like to expand it so that it can do Distribution Groups as well.
Connect-ExchangeOnline
$FUser = Read-Host "Enter the email address of the user you want to copy mailbox permissions from"
$TUser = Read-Host "Enter the email address of the user you want to set mailbox permissions for"
$GPerm = Get-Mailbox | Get-MailboxPermission -User $FUser
$GPerm | ForEach-Object { $_
Add-MailboxPermission -Identity $_.Identity -AccessRights FullAccess -InheritanceType All -User $TUser
Add-RecipientPermission -Identity $_.Identity -AccessRights SendAs -Confirm:$false -Trustee $TUser
}
While looking online I found a similar question online asked by someone else but their question was about coping the DL members from one to another DL.
Get-DistributionGroupMember -Identity "A" | % {add-distributiongroupmember -Identity "B" -Member $_.Name}
Additonally I was able to find a script working to remove the permissions for DLs. But didn't work if I changed the parts from remove to add. But the script isn't for what I am looking for as removing permissions and copying are two different things.
Thanks,
daaqis

Get-ADUser using old pre-Windows 2000 Logon name instead of CN

I'm trying to use Add-ADGroupMember cmdlet in PowerShell, but I've realized PS doesn't recognize the object if I use the CN, and it only seems to recognize the pre-Windows 2000 logon name.
That attribute had a character limitation of 20 characters, so some of our accounts have different CNs and Pre-Windows 2000 logon names.
My whole process is:
Step 1: Get a list of my users (this gives me the legacy pre-Windows 2000 logon names):
Get-ADUser -Filter {department –notlike “Field”} –SearchBase “OU=Accounts,OU=HQ,OU=Production,DC=MYDC,DC=MYDC1,DC=MYDC2” -Properties department | select name | Out-file C:\Users\Public\Users.txt
Step 2: Add those users to my security group:
$UserList = Get-Content "C:\Users\Public\Users.txt"
$GroupName = "MY-SEC-Group"
$Members = Get-ADGroupMember -Identity $GroupName -Recursive | Select -ExpandProperty SAMAccountName
ForEach ($user in $UserList)
{
If ($Members -contains $user)
{
Write-Host "$user is member of $GroupName"
}
Else
{
Write-Host "$user is not a member. Attempting to add now, run script again for verification"
Add-ADGroupMember -Identity $GroupName -Members $User
}
}
For all accounts where the legacy logon name and the CN are the exact same, there are no issues. But in situations where they are different, I get the error "Object not found"
Is there a better/more up-to-date cmdlet to use? Maybe one that relies on the CN instead of the legacy logon name? Or do I need to add in CN to all my scripts now?
Get-ADGroupMember returns objects that point to the concrete user in ActiveDirectory and contain different fields including distinguishedName, SamAccountName , SID, Name and so on. In your code you create a txt file with Names (not SamAccountName) but use SamAccountName in Get-ADGroupMember. So, you just compare names with SamAccountName values (that's incorrect).
Just replace
select name | Out-file C:\Users\Public\Users.txt
with
select SamAccountName | Out-file C:\Users\Public\Users.txt
SamAccountName (just as SID) is the unique attribute in AD -
https://blogs.technet.microsoft.com/389thoughts/2017/02/03/uniqueness-requirements-for-attributes-and-objects-in-active-directory/ so, you should use it in your code.

How to add various groups to the computers in OU?

I need to add various applications groups to the computers in an OU, that will be pushed out later. In AD, I go to OU, right click on the respective computer and click properties and then go to "member of" tab, and then add the various groups.
How can I automate these steps using PowerShell, so that it will apply these groups to all the computers in that OU?
import-module ActiveDirectory
$allComputers = #()
$ADgroup = "Computer Policy Application Group"
$theOU = [ADSI]"LDAP://OU=AnOU,DC=some,DC=test,DC=com"
foreach ($item in $theOU.psbase.Children) {
if ($item.ObjectCategory -like '*computer*') {
$allComputers += $item.Name
}
}
foreach ($pc in $allComputers) {
Add-ADGroupMember $ADgroup $pc
}
Then of course, you can add more groups, or setup an array of groups and iterate through it adding as you go... This will throw a lot of errors if the computer is already part of the group, by the way.
If you are using server2008 or newer (or have the required components installed) this is the simplest solution I have found.
$groupList=#("group1","group2","group3")
foreach ($Comp in (Get-AdComputer -server $ADServer -searchBase "OU=computers,DC=company,DC=com" -searchscope oneLevel")) {
foreach ($Group in $groupList) { Add-ADGroupMember -Identity $Group -Members $Comp -Server $ADServer }
}
Be sure to populate the $groupList variable with an array of the samaccountnames of the groups you wish to add, and to replace "OU=computers,DC=company,DC=com" with the LDAP Path to the OU containing the computers you wish to add permissions to.
Using the ActiveDirectory module, you can either user Add-ADPrincipalGroupMember or Add-ADGroupMember.
The former 'Adds a member to one or more Active Directory groups' whilst the latter 'Adds one or more members to an Active Directory group'.