Share via

Active Directory Groups

Roger Roger 7,631 Reputation points
2025-05-17T12:58:42.7066667+00:00

The syntax below works fine for me for one user, but I have a list of AD groups in a text file with the following format:

group1
group2
group3

I want to import this text file (e.g., C:\Temp\grouplist.txt) and assign user1 access to all the listed groups. Could you please guide me with the correct syntax? It works fine for a single group, but I would like to know how to import the entire list from the text file and assign access accordingly.

# Define the $owner that will be able to manage the members of $group
 $owner = "user1";
 $group = "group1";
     
 # Try to get objects from AD            
 try {
     
   
     $ownerobject = get-adgroup $owner;
     $groupobject = get-adgroup $group;
     
 # If AD could not be read
 } catch {
     
     write-host "Could not get user/group information from Active Directory";
     break;
 }
     
 # Try to set "write members" rights on the group 
 try {
     $ldapstring = "LDAP://" + $groupobject.distinguishedname;
     $ldapgroup = [ADSI]$ldapstring;
     
     [System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options();
     $secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl';
        
     # Get SID
     $identityref = $ownerobject.sid.value;
     $sid = new-object System.Security.Principal.SecurityIdentifier ($identityref);
     
     # Define rights to be applied
     $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty;
     $type = [System.Security.AccessControl.AccessControlType]::Allow;
     
     # Define permission attribute to modify (writeMembers)
     $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2";
     
     $adrule = new-object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid);
     
     # Apply new ACL
     $ldapgroup.get_ObjectSecurity().AddAccessRule($adrule); 
     $ldapgroup.CommitChanges();
     
     write-host ("ACLs updated for group: " + $group);
     
     
 # If permissions could not be set
 } catch {
     
     write-host ("Could not set new ACLs on group: " + $group);
     break;
 }
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Roger Roger 7,631 Reputation points
    2025-05-17T18:27:05.36+00:00

    I have modified the script to grant user1 and user2 access to the groups listed in the attached text file. Could someone please review and validate the script?

    # Define the users that will be granted permission
$owners = "user1", "user2"

# Loop through each group in the list
foreach ($group in Get-Content C:\Temp\grouplist.txt) {
    if ($group.Trim() -eq "") {
        continue  # Skip blank lines
    }

    Write-Host "Processing group: $group"

    try {
        # Get the group object from AD
        $groupObject = Get-ADGroup -Identity $group -ErrorAction Stop
    } catch {
        Write-Host "Could not retrieve group object for '$group'. Skipping..."
        continue
    }

    try {
        # Bind to the group via ADSI
        $ldapString = "LDAP://" + $groupObject.DistinguishedName
        $ldapGroup = [ADSI]$ldapString

        $secOptions = $ldapGroup.get_Options()
        $secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl'

        # Loop through each owner and apply ACL
        foreach ($owner in $owners) {
            try {
                $ownerObject = Get-ADUser -Identity $owner -ErrorAction Stop
            } catch {
                Write-Host "Could not retrieve user object for '$owner'. Skipping..."
                continue
            }

            $sid = New-Object System.Security.Principal.SecurityIdentifier($ownerObject.SID.Value)
            $adRights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty
            $accessType = [System.Security.AccessControl.AccessControlType]::Allow
            $writeMembersGuid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2"

            $adRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, $adRights, $accessType, $writeMembersGuid)

            $acl = $ldapGroup.ObjectSecurity
            $acl.AddAccessRule($adRule)
            $ldapGroup.ObjectSecurity = $acl

            Write-Host "Granted '$owner' WriteMembers rights on group '$group'"
        }

        # Commit all changes
        $ldapGroup.CommitChanges()
    } catch {
        Write-Host "Failed to apply ACLs on group '$group'. Error: $_"
        continue
    }
}

    Was this answer helpful?

  2. MotoX80 37,696 Reputation points
    2025-05-17T13:47:00.2233333+00:00

    A foreach loop should do the trick.

    # Define the $owner that will be able to manage the members of $group
$owner = "user1";
foreach ($group in (Get-Content C:\Temp\grouplist.txt)) {
	if ($group.trim() -eq "") {
		continue                      # skip over blank lines
	}
	
	write-host "Granting $owner access to group $group"
 
	# The rest of your script goes here.

}

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.