Author Posts

March 16, 2018 at 5:12 pm

For doing bulk group adds, I usually put everything in a CSV file with two columns, one being "group" and the other being "useradd" then run a function that contains this

import-csv C:\scripts\sp\groupmod.csv | % {Add-ADGroupMember -Identity $_.group -Members $_.useradd}

No big deal, pretty straightforward. However I've noticed around 2-3 times now, that users that are in the csv do not get added to the groups. I do not get any errors, I just find out later when the Sharepoint team asks where the users are!

I tried doing -verbose but it doesn't really give me any information beyond something being added to that group. If I put write-output in front of add-adgroupmember it does seem to give me some information on what is being added to the groups. Just not sure if this is the best method? I thought try/catch might help, but I don't actually get an errors when it doesn't add them so not sure if that would help.

Any thoughts are appreciated, thanks!

March 17, 2018 at 2:15 am

There is no built in way to determine if the accounts have been added or not. If you want make sure that the desired accounts have been added to the group you will have to check it by yourself.

March 18, 2018 at 4:26 am

Hey Jon,
I have a similar script that adds members to a group in bulk. I actually just use a txt file and do one group at a time and have never had a problem with it skipping members. Although if you had a lot of groups to do at one time, using a CSV definitely scales better. At the end of my script I usually output the group members and spot check the ones I have just added. Similar to what Olaf said you could always try getting a count of the members before and after to see if it matches up with what your adding.

March 18, 2018 at 10:48 am

you could always try getting a count of the members before and after to see if it matches up with what your adding

Please have in mind that would only provide a helpful information if none of the accounts you try to add is already in the group.

March 18, 2018 at 1:42 pm

If the account you were trying to add were already a member of the group that would actually generate an error stating "The specified account name is already a member of the group", and I think in Jon's case he said he is not getting any errors. I haven't tried testing with a csv but I don't think it would be any different.

March 18, 2018 at 4:08 pm

I haven't tried testing with a csv ...

It does not matter where the names come from but you should have.

If the account you were trying to add were already a member of the group that would actually generate an error
...

NO, it does not. That's why I said you have to check each single name if it's there or not. I tested it before.

March 19, 2018 at 2:09 pm

Olag is right, it will not tell if you a user/group is already a member of the group.

It seems like there isn't a real good way to get this done. Since it's only happened a few times, and it's not a huge deal when it does. I'll just let them complain when they don't get added and then fix it 🙂

March 19, 2018 at 3:49 pm

not sure if I am doing something different but if I run this in my AD environment(Win Server 2008 R2), it does let me know that someone is already a member of the group. You can always try this if it helps, if not, you can just ignore me.

Import-Module ActiveDirectory
$ErrorActionPreference = "Stop"

$users = Import-Csv -Path C:\Scripts\AddADGroupMembers.csv

foreach ($user in $users)
{
	try
	{
		$GroupMemberCountBefore = (Get-ADGroupMember -Identity $user.group).count
		Add-ADGroupMember -Identity $user.group -Member $user.username
		$GroupMemberCountAfter = (Get-ADGroupMember -Identity $user.group).count
		
		if ($GroupMemberCountBefore -eq $GroupMemberCountAfter)
		{
			Write-Host "Please check to make sure " $user.username " got added to " $user.group
		}
	}
	catch
	{
		Write-Host $user.username " may already be a member of the group."
	}
	
	
}

March 19, 2018 at 6:36 pm

OK, I don't know how an out of support Windows 😉 works in this situation but on a W2K12 R2 there won't be any message if a user is already in the group.
So your script wouldn't deliver a reliable statement about the success of the desired action.
Lets say you have already in your group User1 and User2 and you try to add with a single command line User1, User2, User3 and User4. For whatever reason adding User 3 works just as intended but User4 won't. Then your count is different to the count before but there won't be any error message.
So the only reliable way to check if all the desired users are added to the group is – get the group members and compare them to the "adding candidates".

March 21, 2018 at 12:32 pm

i would probably approach it in this fashion

$csv = import-csv C:\scripts\sp\groupmod.csv
$errorlog = "c:\scripts\sp\group_add_error.txt"
foreach ($entry in $csv)
{
    Add-ADGroupMember -Identity $entry.group -Members $entry.useradd
    $membership = get-aduser $entry.useradd -properties memberof
    if ($membership.memberof -like "*$entry.group*")
    {

    }
    else
    {
        "$($entry.useradd) was not added to $($entry.group)"|out-file $errorlog
    }
}

you could also add a success message in the first check but this is relatively simple

April 5, 2018 at 4:58 pm

Wanted to give a quick update, Thanks David for your script. I had to make a few modifications, as I needed to account for when I was adding groups into groups.

Here is my final code which is working great.

$csv = import-csv C:\scripts\sp\groupmod.csv
$errorlog = "c:\scripts\sp\group_add_error.txt"
foreach ($entry in $csv)
{
    Add-ADGroupMember -Identity $entry.group -Members $entry.useradd
    $membership = (get-adgroupmember $entry.group).samaccountname
    if ($membership -like $entry.useradd)
    {

    }
    else
    {
        "$($entry.useradd) was not added to $($entry.group)"|out-file $errorlog
    }
}