Copy Group Memberships from One AD User to Another

Executive Summary:

Using the Microsoft Management Console (MMC) Active Directory Users and Computer snap-in to copy group memberships in Microsoft Active Directory can be very time-consuming. To save time, you can use CopyMembership.vbs to automatically copy group membership from one Microsoft Active Directory user to another. CopyMembership.vbs uses Microsoft Active Directory Service Interfaces (ADSI) and Windows Script Host (WSH) 5.6.

My company's Security ID Admin team manages more than 5,000 employees. When a new employee is hired, the human resources (HR) department notifies us and we quickly create an employee object in Active Directory (AD). The HR department doesn't know the application or group memberships that should be assigned to the new employee, so we just assign the sAMAccountName (i.e., username) and don't include any membership information. After the new employee starts work, his or her department manager tells the Security ID Admin team to assign global-group roles based on the group memberships of existing employees in the department.

To assign global-group roles, the Security ID Admin team had to check the group memberships of an existing employee in the Microsoft Management Console (MMC) Active Directory Users and Computer snap-in, write down the information on a piece of paper, then add those membership groups to the new employee object. This process was very time-consuming. Thus, I wrote CopyMembership.vbs to automatically copy group membership from one AD user to another AD user. By design, this script doesn't remove any group memberships after the copy operation; it leaves the existing employee's groups intact because the script is used for new hires only.

I wrote and tested CopyMembership.vbs on machines running Windows XP. You need Active Directory Service Interfaces (ADSI) and Windows Script Host (WSH) 5.6 on the machine from which you want to run the script. Assuming CScript is the default engine, you use the following syntax to launch it:

Copymembership.vbs ntid1 ntid2 

where ntid1 is the existing employee's username and ntid2 is the new employee's username.

As Listing 1 shows, CopyMembership.vbs retrieves the usernames provided on command line, then converts them into distinguished names (DNs). The script calls the dn function to perform this conversion, as callouts A and B show. The dn function in callout D has proved to be quite handy. I've used it in other AD-related scripts, including AddComputers.vbs, which I discuss in "An MMC-less Way to Add Computers to Global Groups" (http://www.scriptingprovip.com/articles/articleid/95164/95164.html). As I describe in that article, the dn function uses ADSI's NameTranslate object. This object translates ADsPath entries from one format to another in the LDAP namespace. (For more information about this object, go to the "ADSI Objects of LDAP" Web page at http://msdn2.microsoft.com/en-gb/library/aa772208.aspx.)

After the two usernames are converted into DNs, CopyMembership.vbs binds to the LDAP namespace in AD and checks to see whether the two employee objects exist. If the script finds that one of the objects doesn't exist, it displays an error message and quits. When both employee objects exist, the script retrieves the group memberships from the object representing the existing employee and copies those memberships to the object representing the new employee, as callout C shows.

The Security ID Admin team has found CopyMembership.vbs to be a real time-saver. Even if you don't need to copy users' group memberships, you'll likely find the dn function a handy piece of code for your scripting toolbox.

—James Lim

Share Your Scripting Experiences
Share your scripting discoveries, comments, solutions to problems, and experiences with products. Email your contributions to r2r@scriptingprovip.com. Please include your full name and phone number. We edit submissions for style, grammar, and length. If we print your submission, you’ll get $100.