Sometimes managing groups in Active Directory becomes tedious and even overwhelming. Sure, you can add a user to multiple groups using Active Directory Users and Computers (ADUC) and in cases where group management doesn’t happen often, this might be the way to go, but Quest Software has a set of PowerShell Commandlets that can make this task very easy to automate.
This post will look at some of the commandlets (cmd-lets) available from Quest for accomplishing this task. The best part is that the cmd-lets are free to download from:http://www.quest.com/powershell/activeroles-server.aspx.
Note: The Active Roles commandlets do not require Active Roles server to work with Active Directory.
Explore other powershell resources from Quest here.
Adding members to group
Suppose we have the following scenario, a lone administrator needs to add users to a new group in Active Directory. Because of other projects that need to be completed as soon as possible, adding them with ADUC will not be an efficient use of time. Here is how to streamline the task with PowerShell.
The first step is to download the Active Roles Server commandlets for PowerShell. When you get it installed the interface will look like Figure A.
Note: During the installation you will be able to have the ActiveRoles installer configure PowerShell to handle all signed scripts, making the use of the tool a bit easier based on the way PowerShell handles security.
Figure A
The Active Roles interface for PowerShell (click to enlarge)
The Active Directory commandlets are only available from within the Active Roles session. To access this session, simply open it from the Quest Software directory on the Start Menu.
Adding users (or other groups) to Active Directory is a simple task, but when there are a large number of items to add, a script and list of users can be a great way to get the job done quickly.
The first thing to do is create a list of the objects you want to add using the following set of commands:
$pw = read-host "Enter your password" -ADSecureString
Connect-qadservice -ConnectionAccount ‘domainadmin username' -ConnectionPassword $pw
Get-qaduser -searchroot ‘domain.com/UsersOU' | %{$_.DirectoryEntry.distinguishedName, $_.DirectoryEntry.description} | out-file c:users.txt
This section of code connects to Active Directory using the specified username (domainadmin username) and prompts you to enter the password for the account. Then it searches the directory container UsersOU and returns all of the distinguished names and descriptions for user accounts in that container. Instead of returning them to the screen, they are pumped into C:users.txt which can be read in later to add these members to a group.
Once you have a file containing the distinguished names of the users you need to add, reading the file into powershell and adding members to the group is quick and easy.
To use add-qadgroupmember you call the add-qadgroupmember cmdlet.
Then specify the parameters needed to tell PowerShell which group to add users to with the identity property followed by the distinguished name of the target group:
-identity "cn=newgroup,ou=groups,dc=domain,dc=com"
Next, you specify the -member property and the distinguished name of the user you need to add:
-member "cn=Derek,ou=users,dc=domain,dc=com"
The entire command looks like this:
add-qadgroupmember -identity "cn=newgroup,ou=groups,dc=domain,dc=com" -member "cn=Derek,ou=users,dc=domain,dc=com"
This will also return all results to the screen. In this case, one record is being added; however, using PowerShell to add one user to a group might take more time than using included GUI tools.
Looking back to our original example of allowing an administrator to loop through a file containing the distinguished names of users to add, might look something like this:
$group = "cn=newgroup,ou=groups,dc=domain,dc=com"
$list = Get-content c:users.txt
Foreach($user in $list)
{
add-qadgroupmember -identity $group -member $user
}
The code above creates a variable $group for the distinguished name of the group that will contain the users. Next the $list variable is defined to take in the content from c:users.txt. The content in this text file is stored in a variable to be looped through during the remainder of the script.
The loop is where the work is done as, each pass through the loop looks at each user record within the $list variable, which contains the entire contents of users.txt and adds each user to the target group specified by the $group variable. When passed to the add-qadgroupmember cmdlet, the users are added one at a time until the list is completed.
When PowerShell is used for this type of maintenance, adding a huge list of users to a group takes very little time at all. There can be a bit of setup, but keeping the script small and useful makes the process very painless indeed.
(source : http://www.techrepublic.com/blog/networking/add-members-to-a-group-with-powershell-commandlet/3964)
Exchange, Powershell, AD & Azure Tips 