Author Posts

August 17, 2018 at 4:44 pm


I've just started using Powershell recently, and I'm enjoying it! I have made my life easier by scripting repetitive tasks at work, nothing fancy. But, I want to improve on one of them.

Here's what I'm trying to do. We have several brands, or companies under one umbrella, all part of the same AD domain. The brands are organized by OU. Say we have an accountant in one brand, code is AAA. We'll have the AD security groups specific for that brand starting with the prefix AAA, so it may be AAA_report_payroll, AAA_report_expenses, etc.

Often we need to model someones access from company AAA to another employee who will be working in company BBB. So, Bob in AAA with access to AAA_report_payroll, AAA_Report_expenses will be the "model", and we'll need to give Joe in company BBB access to BBB_report_expenses and BBB_report_payroll.  Of course, in the real world it is more than 2 groups they'd need, which is why I script it.

What i've been doing is running get adprincipalgroupmembership on the Model after employee and sending the results to a text file. I run a 2nd script that goes through the text file and replaces AAA_ with BBB_.  A third script then runs a get-content on the text file, and uses foreach (group in groups) to add the target user to the new groups.

Like i said, I really want to improve on this. I'm happy i get it done faster than anyone used to do it, but I'd like to learn how to streamline other functions I do. By way of comparison my predecessor used to type the names into notepad and then copy and paste it into the user's AD account.

I want to know if I can have ONE script that will pull the groups (get-adprincipalgroupmembership maybe?) to a variable, and then do a replace on the AAA_ to BBB_ in the variable and apply those renamed groups to the destination user without having to send it to text files.

I believe once I have that part down, I'll be able to use some read-host prompts to get the model after user, the company code, the destination user and the new company code. I should be able to figure out placing the variables in the code, but for the life of me I can't seem to get how to do the replace on items in memory instead of a text file. I'm sure the pipe will come into play, but if anyone has any thoughts on this I'd love to know!  Its also Friday, I've had a lot of coffee and tend to ramble. Thanks!

August 17, 2018 at 4:49 pm

Is there a reason you break it out into 3 scripts, rather an into one?
If all the code works individually, have you tried to put it into one .ps1 file?

August 17, 2018 at 5:02 pm

I haven't tried to, to be honest. I'm making it up as I go along, and am realizing now what more can be done and improved on. I've actually been running everything through the ISE since its easier to edit and just click on the Run Script button.

I know....but had to start somewhere. 🙂   Once I get that other part down, I'll work on getting it all into one script. I just don't want the text files anymore as I want to be able to share the script with my group to expedite these types of requests.


August 17, 2018 at 8:02 pm

Let's just look at some basic stuff. You want to take a "template" user and get their groups. Groups are returned as a DistinguishedName. In the code below, we are replacing "CN=" with nothing:

$user = Get-ADUser -Filter {SamAccountName -eq 'user1'} -Properties MemberOf |
        Select -Properties MemberOf,
                           @{Name='Groups';Expression={$_.MemberOf | foreach { ($_ -split ",")[0].Replace("CN=")} }}

If you defined a variable like $destinationCode = "BBB" and knew the user was in AAA, you could probably do another .Replace("AAA", $destinationCode) on there. What do you think? Now you would have the groups in an array as $user.Groups to do a Add-ADGroupMember to the new account.