Copying Active Directory Group membership with PowerShell

Copying Active Directory Group membership with PowerShell


Managing Active Directory (AD) user accounts and their memberships to security groups is one of the most time-consuming tasks for a system administrator. But it doesn’t have to be that way.

With the help of PowerShell and Active Directory Module, we can automate the task of Copying Active Directory Group membership with PowerShell from one user to another. This task, although seemingly simple, can save a significant amount of time and reduce the possibility of human error.

In this blog post, we’ll break down a PowerShell script that does just that and discuss the benefits it offers.

Understanding the Script

Let’s walk through the script step-by-step:

  1. Import the Active Directory Module: The Import-Module ActiveDirectory command ensures that the Active Directory cmdlets are available to the script.
  2. Prompt for Source and Destination Usernames: We use the Read-Host command to ask the admin for the source and destination sAMAccountNames.
  3. Retrieve User Information: With Get-ADUser -Identity, we retrieve the AD user objects for both the source and destination users.
  4. Validate User Objects: We check whether the user objects are null. If any are, the script throws an error message and exits.
  5. Retrieve Source User Group Membership: We get the source user’s group memberships using Get-ADUser -Identity $sourceUser.SamAccountName -Properties MemberOf.
  6. Filter Groups: We filter the groups for those starting with ‘Sharepoint’ using Where-Object.
  7. Display Groups for Confirmation: We list the groups to be copied and ask the admin to confirm the operation.
  8. Copy Group Memberships: If the admin confirms, we add the destination user to the selected groups using Add-ADGroupMember. If the admin does not confirm, the operation is cancelled.

Benefits of Using This Script

The primary benefit of using this script is the time saved. Without automation, the admin would have to manually retrieve the group memberships of the source user, filter them, and then manually add the destination user to each group. This can be a time-consuming process, especially when you have to manage hundreds or thousands of users.

Assuming it takes an admin about 5 minutes to perform this task manually for a single user, this script could save approximately 4 minutes per user, as the script completes the task in less than a minute. Over the course of a year, if the admin has to perform this task for 100 users, that’s a potential saving of approximately 400 minutes or almost 7 hours.

The secondary benefit is accuracy. Manual operations are prone to human error. This script greatly reduces the chances of making an error (like adding a user to the wrong group).


Automation is key to efficient system administration. This PowerShell script showcases how automation can save significant time and improve accuracy when managing AD user accounts and their group memberships. By embracing scripts like this, system administrators can free up more of their time for higher-value tasks, ultimately leading to a more efficient IT operation.

Import-Module ActiveDirectory

#Prompt for Source and Destination sAMAccountNames
$sourceSAM = Read-Host "Enter Source sAMAccountName"
$destinationSAM = Read-Host "Enter Destination sAMAccountName"

#Get Source and Destination Users
$sourceUser = Get-ADUser -Identity $sourceSAM
$destinationUser = Get-ADUser -Identity $destinationSAM

#Validate Source and Destination Users
if ($null -eq $sourceUser) {
    Write-Error "Source User ($sourceSAM) not found in Active Directory"

if ($null -eq $destinationUser) {
    Write-Error "Destination User ($destinationSAM) not found in Active Directory"

#Get Source User Group Membership
$sourceGroups = Get-ADUser -Identity $sourceUser.SamAccountName -Properties MemberOf | Select-Object -ExpandProperty MemberOf

#Filter for groups starting with 'Sharepoint'
$groupsToCopy = $sourceGroups | Where-Object { (Get-ADGroup -Identity $_).Name -like 'Sharepoint*' }

#Show the groups to be copied
Write-Host "The following groups will be copied from $sourceSAM to $destinationSAM:"
$groupsToCopy | ForEach-Object {
    $groupInfo = Get-ADGroup -Identity $_
    Write-Host " - $($groupInfo.Name)"

#Confirm user wants to proceed
$proceed = Read-Host "Do you wish to proceed? (Y/N)"

if ($proceed -eq 'Y' -or $proceed -eq 'y') {
    #Add Destination User to Groups
    $groupsToCopy | ForEach-Object {
        Add-ADGroupMember -Identity $_ -Members $destinationUser.SamAccountName -Confirm:$false
        Write-Host "Added $destinationSAM to group $(Get-ADGroup -Identity $_).Name"
    Write-Host "Operation completed successfully!"
} else {
    Write-Host "Operation canceled by user."

Found priceless insights in this blog? Support the author’s creativity – buy them a coffee!

Leave a Reply

Your email address will not be published. Required fields are marked *