Powershell - Script to clone AD groups

Last week I came across a situation where I needed to copy Active Directory groups (including members) as new groups.

Contents

1 Scenario
2 Powershell – Clone single group
- 2.1 Example usage
- 2.2 Code (Clone_Group.ps1)
3 Powershell – Clone list of groups
- 3.1 Example usage
- 3.2 Code (Clone_Group_List.ps1)

Scenario

Suppose we want to clone the “SG-Test1” and “SG-Test2” groups

We need two groups (“SG-NewTest1” and “SG-NewTest2”) to be created with the same members included

Using this powershell scripts you can either clone a single group a list a groups (OU, scope and members remain the same).

Powershell – Clone single group

Example usage

Simply pass the group to clone and the name of the new group that will be created.

PS D:\SCRIPTS> .\Clone_Group.ps1 <OLD GROUP NAME> <CLONED GROUP NAME>

For example:

PS D:\SCRIPTS> .\Clone_Group.ps1 SG-Test1 SG-NewTest1
Created new Group SG-NewTest1 (path OU=MyGROUPS,DC=domain,DC=com)

PS D:\SCRIPTS> .\Clone_Group.ps1 SG-Test2 SG-NewTest2
Created new Group SG-NewTest2 (path OU=MyGROUPS,DC=domain,DC=com)

Code (Clone_Group.ps1)

Download the code of Clone_Group.ps1

Param(
  [string] $OLD_GROUP_NAME,
  [string] $NEW_GROUP_NAME
)

$OLD_GROUP=Get-ADGroup "$OLD_GROUP_NAME"

If ($OLD_GROUP -eq $null)
{
    "Cannot clone non-existent group ($OLD_GROUP_NAME)"
}
Else
{
    $OLD_GROUP_SCOPE=$OLD_GROUP.GroupScope
    $OLD_GROUP_DN=$OLD_GROUP.DistinguishedName
    $TEMP=$OLD_GROUP_DN.IndexOf(",")
    $OLD_GROUP_PATH=$OLD_GROUP_DN.SubString($TEMP+1,$OLD_GROUP_DN.Length-$TEMP-1)

    New-ADGroup -Name $NEW_GROUP_NAME -GroupScope $OLD_GROUP_SCOPE -path "$OLD_GROUP_PATH"
    Get-ADGroupMember -Identity $OLD_GROUP_NAME | Add-ADPrincipalGroupMembership -MemberOf $NEW_GROUP_NAME

    $NEW_GROUP=Get-ADGroup -Filter { name -like $NEW_GROUP_NAME }
    If ($NEW_GROUP -eq $null)
    {
        "Error creating group ($NEW_GROUP_NAME)"
    }
    Else
    {
        "Created new Group $NEW_GROUP_NAME (path $OLD_GROUP_PATH)"
    }
}

Powershell – Clone list of groups

Example usage

Create a file with the foilowing format:

OLD_GROUP_NAME1;CLONED_GROUP_NAME1
OLD_GROUP_NAME2;CLONED_GROUP_NAME2
...

And pass it as parameter of the script:

PS D:\SCRIPTS> .\Clone_Group_List.ps1 <GROUPS_FILE>

For example, file D:\TEMP\groups.txt

SG-Test1;SG-NewTest1
SG-Test2;SG-NewTest2

PS D:\SCRIPTS> .\Clone_Group_List.ps1 D:\TEMP\groups.txt
Created new Group SG-NewTest1 (path OU=MyGROUPS,DC=domain,DC=com)
Created new Group SG-NewTest2 (path OU=MyGROUPS,DC=domain,DC=com)

Code (Clone_Group_List.ps1)

Download the code of Clone_Group_List.ps1

Param(
  [string] $GROUPS_FILE
)

$GROUPS=Get-Content "$GROUPS_FILE"
ForEach ($LINE in $GROUPS)
{
    $OLD_GROUP_NAME=$LINE.Split(";")[0]
    $NEW_GROUP_NAME=$LINE.Split(";")[1]

    $OLD_GROUP=Get-ADGroup -Filter { name -like $OLD_GROUP_NAME }    

    If ($OLD_GROUP -eq $null)
    {
        "Cannot clone non-existent group ($OLD_GROUP_NAME)"
    }
    Else
    {
        $OLD_GROUP_SCOPE=$OLD_GROUP.GroupScope
        $OLD_GROUP_DN=$OLD_GROUP.DistinguishedName
        $TEMP=$OLD_GROUP_DN.IndexOf(",")
        $OLD_GROUP_PATH=$OLD_GROUP_DN.SubString($TEMP+1,$OLD_GROUP_DN.Length-$TEMP-1)

        New-ADGroup -Name $NEW_GROUP_NAME -GroupScope $OLD_GROUP_SCOPE -path "$OLD_GROUP_PATH"
        Get-ADGroupMember -Identity $OLD_GROUP_NAME | Add-ADPrincipalGroupMembership -MemberOf $NEW_GROUP_NAME
        $NEW_GROUP=Get-ADGroup -Filter { name -like $NEW_GROUP_NAME }
        If ($NEW_GROUP -eq $null)
        {
            "Error creating group ($NEW_GROUP_NAME)"
        }
        Else
        {
            "Created new Group $NEW_GROUP_NAME (path $OLD_GROUP_PATH)"
        }
    }
}

9 thoughts on “Powershell – Script to clone AD groups”

Arris on October 29, 2018 at 10:18 am said:

I try the list one, but it doesn’t clone only create a new group with the new name.
It says it cannot find the group. How can i make sure it is looking in the right OU, it seems that part is missing.

Get-ADGroupMember : Cannot find an object with identity: ‘FOJA-ADM’ under: ‘DC=foja,DC=nl’.

Reply ↓
- Brian on January 11, 2019 at 9:07 am said:
  
  Edit the line which retrieves the group object.
  Change
  $OLD_GROUP=Get-ADGroup -Filter { name -like $OLD_GROUP_NAME }
  To
  $OLD_GROUP = Get-ADGroup “$OLD_GROUP_NAME”
  
  Reply ↓
  - Sysadmin SomoIT on January 15, 2019 at 10:12 am said:
    
    Thanks Brian
    
    Reply ↓
Hak on May 29, 2019 at 3:42 am said:

worked like a charm

Reply ↓
Ramiro M on June 17, 2020 at 1:32 am said:

Hello,
I just started working as Account Admin and we have a team that needs to copy a complete OU with security groups for one OU to a test OU in the same domain.

I see the second script will help a lot, but is there a CSV template created for this? I am barely new to this kind of elaborated scripts, and I am not able to identify the fields.

I will really appreciate if you can guide me to create the template.

Reply ↓
Jane Doe on January 14, 2021 at 4:23 pm said:

Perhaps you should go back to your books. It sounds like you are in over your head.

Reply ↓
Abhijit Bhise on March 19, 2021 at 12:57 pm said:

are permission on both the groups similar after they are created?

Reply ↓
David Postlethwaite on March 25, 2021 at 8:42 am said:

perfect. Just what I needed

Reply ↓
Clinton on May 31, 2021 at 5:21 pm said:

How do i copy security groups from one ou to another? Don’t need the memebers.

Reply ↓

SomoIT.net

IT System Administration – Sysadmin tips, tricks and tutorials

Powershell – Script to clone AD groups

Scenario

Powershell – Clone single group

Example usage

Code (Clone_Group.ps1)

Powershell – Clone list of groups

Example usage

Code (Clone_Group_List.ps1)

9 thoughts on “Powershell – Script to clone AD groups”

Leave a Reply Cancel reply