Powershell - Replicate Permissions 1:1 for AD Users
-
The below script will replicate user permissions and a few other settings from a Source and Target user.
# This script will apply user permissions and a logon script on a 1:1 basis from an existing (Source) user to a new (Target) user. This script can also be used to reapply permissions on a large scale basis # using the 1:1 ratio, allowing control over what permissions may change between users. # confirm:$false suppresses the confirmation for changes to an OU or DL. Otherwise this could be rather tedious. [CmdletBinding()] Param ( [Parameter(Mandatory = $True, HelpMessage = "Logon name of source user")] [string]$Source, [Parameter(Mandatory = $True, HelpMessage = "Logon name of target user")] [string]$Target ) # Retrieve group memberships. $SourceUser = Get-ADUser $Source -Properties memberOf, scriptpath, manager, Organization, Department, Company $TargetUser = Get-ADUser $Target -Properties memberOf # Determines what Logon, Manager, Email, Department, Company. $Script = $SourceUser.scriptpath $Manager =$SourceUser.Manager $Company =$SourceUser.Company $Organization = $SourceUser.Organization $Department = $SourceUser.Department #Change @DOMAIN.COM to be your domain address. Our usernames follow First Initial of the first Name + Last Name@DOMAIN.com. IE John Smith would be jsmith@domain.com $Email = $Target + "@DOMAIN.COM" # Hash table of source user groups. $List = @{} # Enumerate direct group memberships of source user. ForEach ($SourceDN In $SourceUser.memberOf) { # Add this group to hash table. $List.Add($SourceDN, $True) # Bind to group object. $SourceGroup = [ADSI]"LDAP://$SourceDN" # Check if target user is already a member of this group. If ($SourceGroup.IsMember("LDAP://" + $TargetUser.distinguishedName) -eq $False) { # Duplicates permissions from the Source user to the target user, and sets the following AD Fields: Login Script, Manager, Company, Organization, Department and Email address. Add-ADGroupMember $SourceDN -Members $Target } } # The below lines ensure that the user account is not locked out, and is enabled. Enable-ADAccount -Identity $Target Unlock-ADAccount -Identity $Target Write-Output " " Write-Output "Account is Unlocked and Enabled." # Sets the Basic AD information, manager, company, login script, Orangization, Department, and Email Address Set-ADUser $Target -ScriptPath $Script Set-ADUSer $Target -Manager $Manager Set-ADUser $Target -Company $Company Set-ADUser $Target -Organization $Organization Set-ADUser $Target -Department $Department Set-ADUser $Target -EmailAddress $Email # The below section will remove any group memberships that are not apart of the Source User that the Target user may be a part of. This trues up the permissions from the Source user to the Target User. # Meaning only identical memberships will exist. # Extremely useful if there is a need to confirm or reapply group memberships across an OU or Domain, while still using a precise 1:1 operation. As blanket operations generally have unintended consequences. # Comment out everything below if this functionality is not required. # Enumerate direct group memberships of target user. ForEach ($TargetDN In $TargetUser.memberOf) { # Check if source user is a member of this group. If ($List.ContainsKey($TargetDN) -eq $False) { # Source user not a member of this group. # Remove target user from this group. Remove-ADGroupMember $TargetDN $Target -confirm:$false } }
