Adding users to Active Directory (AD) groups is a common task for system administrators. If the task involves just one or two users, they often opt to use either Active Directory Users and Computers (ADUC) or Active Directory Administrative Center (ADAC). But when the job involves more users, PowerShell is a far more efficient option. This article explains the add user to AD group PowerShell cmdlet, Add-ADGroupMember.
Add-ADGroupMember
To add users to a group, PowerShell offers the Add-ADGroupMember cmdlet.
Syntax
The syntax of the Add-ADGroupMember cmdlet is as follows:
Add-ADGroupMember [-WhatIf] [-Confirm] [-AuthType ] [-Credential ] [-Identity] [-Members] <ADPrincipal[]> [-MemberTimeToLive ] [-Partition ] [-PassThru] [-Server ] [-DisablePermissiveModify]
Parameters
The Add-ADGroupMember cmdlet has the following parameters:
| Parameter | Description |
| -Identity | Use this parameter to specify the AD group to which you want to add the new members. You can specify the group using its distinguished name (DN), globally unique identifier (GUID), security identifier (SID) or security accounts manager (SAM) name. You can also pass in the group through a pipeline. |
| -Members | Use this parameter to specify the users, service accounts, computers or groups to be added as members of the group. Identify each member by its DN, SID, GUID or SAM name. To specify multiple members, use the comma as a separator. Note that user, group and computer objects cannot be passed through a pipeline. If you want to use a pipeline, you can use the Add?ADPrincipalGroupMembership cmdlet instead. |
| -WhatIf | Use this parameter if you want to see what the add users to group PowerShell cmdlet would do, without actually executing it. |
| -Confirm | Use this parameter if you want to get a confirmation prompt before the cmdlet runs. |
| -AuthType | Use this parameter to specify the authentication type: Basic or Negotiate. |
| -Credential | Use this parameter if you need to provide alternative credentials. |
| -MemberTimeToLive | Use this parameter to provide a specific timeframe for the object to remain a member of the group. |
| -Partition | Use this parameter to specify the DN of the Active Directory partition that the cmdlet should search for the group specified in the Identity parameter. |
| -PassThru | Use this parameter to return the object that is modified. (By default, the Add-ADGroupMember cmdlet does not generate any output.) |
| -Server | Use this parameter to specify the Active Directory instance to connect to. You can provide either the domain name or the directory server. |
| -DisablePermissiveModify | Use this parameter to prevent the cmdlet from throwing an error if the user is already a member of the specified group. |
Common Use Cases
Add a Single User to an AD Group
To add “Jason-Bourne” to the group “The Office”, use the following PowerShell cmdlet:
Add-ADGroupMember -Identity "The Office" -Members Jason-Bourne
This PowerShell add group member command will not generate any output, so let’s run the following command to check that the group’s membership has been properly updated:
Get-ADGroupMember -Identity "The Office" | ft
Add Multiple Users to an AD Group
To add multiple users to a group, separate them with commas:
Add-ADGroupMember "The Office" Jason-Bourne,Benedict.Cumberbatch,AbbeyCrawford,AbbeyEckels
Let’s confirm the results of this PowerShell add users to group command:
Get-ADGroupMember -Identity "The Office" | ft
Copy Group Members to Another Group
Sometimes you might need to get a list of the members of one group and add those users to another group. For instance, let’s get all the users in the group “The Office” using use the Get-ADGroupMember cmdlet and use a pipeline and a ForEach loop to pass those objects to Add-ADGroupMember, which will add them to the group “Work from home”:
Get-ADGroupMember “The Office” | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity “Work from home” -Members $_}
To view the membership of both groups, use the following cmdlets:
Get-ADGroupMember -Identity "The Office" | ft
Get-ADGroupMember -Identity "Work from home" | ft
Add All Users from a Specific OU
Similarly, you might need to add all users from a particular organizational unit (OU) to a group. For example, suppose we have an OU named Engineering with 21 users:
To add these 21 users to the “Engineering Users” group, we can use the following command:
Get-ADUser -Filter * -SearchBase “OU=Engineering,DC=milkyway,DC=local”| ForEach-Object -process {Add-ADGroupMember -identity "Engineering Users" -Members $_.SamAccountName}
Now, let’s check the membership of the “Engineering Users” group to ensure that all the users were added:
Get-ADGroupMember -Identity "Engineering Users" | ft
Add Users Based on an AD Property
Sometimes, the users you want to add to a group are not already conveniently in an OU or another group. But if they have an AD property in common, you can still easily add them all to a group. For instance, the following command will filters users whose department attribute is set to Engineering and then add them to the “Engineering Users” group:
Get-ADUser -filter {(department -eq "Engineering")} | ForEach-Object -process {Add-ADGroupMember -identity "Engineering Users" -Members $_.SamAccountName}
Let’s confirm the changes by running the following command:
Get-ADGroupMember -Identity "Engineering Users" | ft
Add Users to a Group using a CSV File
You can add members to a group from a CSV file with a list of the AD objects. For example, your HR team might send you a CSV file listing users to be added to a particular group. Here is an example file as it would look when opened in Excel:
Here is the same file as it appears in Notepad:
The following command uses the “Name” field for the users listed in the CSV file in the “Engineering Users” group:
Import-Csv -Path C:\engineeringusers.csv | foreach-object {Add-ADGroupMember -Identity "Engineering Users" -Members $_.Name}
As usual, let’s verify the results:
Get-ADGroupMember -Identity "Engineering Users" | ft
Add Users to Different Groups using a CSV File
Now let’s consider a more complex scenario: The users in the CSV file need to be added to different groups. For each user, the file specifies the group they should be added to, as shown below:
To add each user to the correct group, use the following cmdlet:
Import-Csv -Path C:\UsersAndGroups.csv | foreach-object {Add-ADGroupMember -Identity $_.Group -Members $_.Name}
To check the results, we can run Get-ADGroupMember for each of the 5 groups in the CSV file:
How Netwrix Can Help
Using PowerShell to add users to AD groups is far more efficient than manual options like ADAC and ADUC. However, writing and maintaining scripts requires specialized skills; without sufficient expertise, it can lead to costly errors.
Netwrix GroupID simplifies Active Directory group management with an intuitive interface and automation capabilities that go beyond PowerShell scripting.
Easier PowerShell Scripting
Netwrix GroupID complements and elevates the capabilities of PowerShell with a user-friendly and secure scripting interface:
Dynamic Groups
Netwrix GroupID also helps eliminate the need for PowerShell scripting. In particular, you can create groups whose membership is updated automatically based on a query you specify. For example, you can eliminate the work of writing and running the PowerShell script provided earlier to add all users whose department is “Engineering” to the “Engineering Users” group. Instead, simply use the graphical Query Designer to specify that user attribute as the criterion for group membership, as shown below, and Netwrix GroupID will keep the group’s membership up to date automatically.
You can also specify expiry policies to help ensure that groups do not outlive their usefulness.
Self-Service Capabilities
Netwrix GroupID also provides a user-friendly web portal that empowers users to easily join or leave groups, create groups, and more, further reducing the burden on the IT team while enhancing accuracy and business productivity.
FAQs
How do I add an AD group?
To create a new AD group, you can use the PowerShell cmdlet New-ADGroup.
How do I add members to an AD group?
Use the PowerShell add user to group cmdlet, Add?ADGroupMember. When adding multiple users, separate them with commas.
How do I list AD group membership?
To list the members of a group, run Get-ADGroupMember.
