PowerShell – How to Copy Active Directory Group Memberships

Posted on by Yaman ŞenerLeave a comment

One of the biggest time-sinks in user onboarding isn’t just creating the account; it’s getting the permissions right. A new employee can’t do their job if they don’t have access to the right folders, applications, and resources. In most companies, this access is managed through Active Directory groups, and manually adding a new user to dozens of groups is a tedious and error-prone process.

Table of Contents

  1. 1.1 The PowerShell Script for Copying Groups
  2. 1.2 How the Script Works: Understanding Conditional Logic
  3. 1.2.1 The If/Else Statement
  4. 1.3 Breaking Down the Script’s Logic
  5. 1.4 Conclusion
  6. 1.5 More Topics

The best practice I’ve always followed is to use a “template user”—an existing employee in the same role—and copy their group memberships. This Tiny PowerShell Project automates that exact process. It’s a lifesaver that turns a frustrating, click-heavy task into a quick, reliable script, ensuring new users are productive from day one.

The PowerShell Script for Copying Groups

This script prompts you for a template user and a target user, confirms your selection, and then copies all group memberships from one to the other.

PowerShell

# Import the Active Directory module
Import-Module ActiveDirectory

# --- Create a Menu to Get User Info ---
$Copy_From = Read-Host "Enter the username to copy groups FROM (template user)"
$Copy_To = Read-Host "Enter the username to copy groups TO (new user)"

# --- Confirm the Action with Conditional Logic ---
Write-Host "`nYou are about to copy all group memberships from '$Copy_From' to '$Copy_To'."
$Confirmation = Read-Host "Are you sure you want to proceed? (y/n)"

if ($Confirmation -like "y*") {
    # --- Get the Template User's Groups ---
    Write-Host "`nGetting group memberships from $Copy_From..."
    try {
        $Groups = (Get-ADUser -Identity $Copy_From -Properties MemberOf).MemberOf
        
        if (-not $Groups) {
            Write-Host "User $Copy_From is not a member of any groups."
            exit
        }

        # --- Loop Through and Add Groups to the New User ---
        Write-Host "Adding $Copy_To to the following groups:"
        foreach ($Group in $Groups) {
            Write-Host "- $Group"
            Add-ADGroupMember -Identity $Group -Members $Copy_To
        }
        
        Write-Host "`nProcess complete. Group memberships copied successfully."
    }
    catch {
        Write-Host "An error occurred: $_"
    }
}
else {
    # --- Action for Non-Confirmation ---
    Write-Host "`nOperation cancelled by user."
}

How the Script Works: Understanding Conditional Logic

The most important new skill in this script is conditional logic. This is what allows a script to make decisions and perform different actions based on certain conditions. In my experience, mastering this is the key to unlocking real automation power.

The If/Else Statement

The most basic form of conditional logic is the if statement. Think of it like teaching a computer to drive: “If the light is green, go.” If the condition inside the parentheses () is true, the code inside the curly braces {} is executed.

We can make this more powerful by adding an else block: “If the light is green, go. Otherwise, stop.” This gives our script two distinct paths to follow. This is a fundamental concept in almost every programming language, including Python.

In our script, we use an if/else block as a crucial safety check:

PowerShell

if ($Confirmation -like "y*") {
    # The user confirmed, so we proceed with copying the groups.
    # All the main logic goes here...
}
else {
    # The user entered something else, so we cancel the operation.
    Write-Host "`nOperation cancelled by user."
}

The -like "y*" operator checks if the user’s input starts with the letter “y” (case-insensitive). This is a user-friendly way to accept “y”, “yes”, or “Y” as confirmation.

Breaking Down the Script’s Logic

With conditional logic in place, let’s look at how the main part of the script functions.

  1. Get Template User’s Groups: To find out which groups our template user is in, we use Get-ADUser. The key here is the -Properties MemberOf parameter, which tells the cmdlet to retrieve the list of groups the user belongs to. We then access this list and store it in our $Groups variable.
  2. Loop Through the Groups: The $Groups variable is an array—a collection of all the group names. We use a ForEach loop to iterate through this array, processing one group at a time. The loop takes each item from the $Groups array and temporarily assigns it to the $Group variable for use inside the loop.
  3. Add Target User to Each Group: Inside the loop, we use the Add-ADGroupMember cmdlet. This is the command that does the actual work. For each iteration, it adds our target user ($Copy_To) to the current group ($Group) from the list.

Conclusion

Manually managing Active Directory group memberships is a recipe for mistakes and wasted time. By combining fundamental PowerShell concepts like loops, arrays, and conditional logic, we’ve created a powerful script that automates one of the most common onboarding tasks. This tool not only makes your job easier but also ensures that new employees get the exact permissions they need, consistently and reliably, every single time.

Burns B. Smirnov E. “Tiny PowerShell Projects“.

More Topics

Hello! I'm a gaming enthusiast, a history buff, a cinema lover, connected to the news, and I enjoy exploring different lifestyles. I'm Yaman Şener/trioner.com, a web content creator who brings all these interests together to offer readers in-depth analyses, informative content, and inspiring perspectives. I'm here to accompany you through the vast spectrum of the digital world.

Leave a Reply

Your email address will not be published. Required fields are marked *