Powershell - Replicate Permissions 1:1 for AD Users



  • The below script will replicate user permissions and a few other settings from a Source and Target user.

    # This script will apply user permissions and a logon script on a 1:1 basis from an existing (Source) user to a new (Target) user. This script can also be used to reapply permissions on a large scale basis
    # using the 1:1 ratio, allowing control over what permissions may change between users. 
    
    # confirm:$false suppresses the confirmation for changes to an OU or DL. Otherwise this could be rather tedious.
    
    [CmdletBinding()] Param ( [Parameter(Mandatory = $True, HelpMessage = "Logon name of source user")] [string]$Source, [Parameter(Mandatory = $True, HelpMessage = "Logon name of target user")] [string]$Target )
    
    # Retrieve group memberships.
    $SourceUser = Get-ADUser $Source -Properties memberOf, scriptpath, manager, Organization, Department, Company
    $TargetUser = Get-ADUser $Target -Properties memberOf
    
    # Determines what Logon, Manager, Email, Department, Company.
    $Script = $SourceUser.scriptpath
    $Manager =$SourceUser.Manager
    $Company =$SourceUser.Company
    $Organization = $SourceUser.Organization
    $Department = $SourceUser.Department
    
    #Change @DOMAIN.COM to be your domain address. Our usernames follow First Initial of the first Name + Last [email protected] IE John Smith would be [email protected]
    $Email = $Target + "@DOMAIN.COM"
    
    # Hash table of source user groups.
    $List = @{}
    
    # Enumerate direct group memberships of source user.
    ForEach ($SourceDN In $SourceUser.memberOf)
    {
    	# Add this group to hash table.
    	$List.Add($SourceDN, $True)
    	# Bind to group object.
    	$SourceGroup = [ADSI]"LDAP://$SourceDN"
    
    	# Check if target user is already a member of this group.
    	If ($SourceGroup.IsMember("LDAP://" + $TargetUser.distinguishedName) -eq $False)
    	{
    		# Duplicates permissions from the Source user to the target user, and sets the following AD Fields: Login Script, Manager, Company, Organization, Department and Email address.
    		Add-ADGroupMember $SourceDN -Members $Target
    
    	 }
    }
    
    # The below lines ensure that the user account is not locked out, and is enabled. 
    	Enable-ADAccount -Identity $Target
    	Unlock-ADAccount -Identity $Target
    
    	Write-Output " "
    	Write-Output "Account is Unlocked and Enabled."
    
    # Sets the Basic AD information, manager, company, login script, Orangization, Department, and Email Address
    	Set-ADUser $Target -ScriptPath $Script
    	Set-ADUSer $Target -Manager $Manager
    	Set-ADUser $Target -Company $Company
    	Set-ADUser $Target -Organization $Organization
    	Set-ADUser $Target -Department $Department
    	Set-ADUser $Target -EmailAddress $Email
    
    
    # The below section will remove any group memberships that are not apart of the Source User that the Target user may be a part of. This trues up the permissions from the Source user to the Target User. 
    # Meaning only identical memberships will exist.
    
    # Extremely useful if there is a need to confirm or reapply group memberships across an OU or Domain, while still using a precise 1:1 operation. As blanket operations generally have unintended consequences.
    
    # Comment out everything below if this functionality is not required.
    
    # Enumerate direct group memberships of target user.
    ForEach ($TargetDN In $TargetUser.memberOf)
    {
    	# Check if source user is a member of this group.
    	If ($List.ContainsKey($TargetDN) -eq $False)
    	{
    		# Source user not a member of this group.
    		# Remove target user from this group.
    		Remove-ADGroupMember $TargetDN $Target -confirm:$false
    	}
    
    }