The below script will replicate user permissions and a few other settings from a Source and Target user.
# This script will apply user permissions and a logon script on a 1:1 basis from an existing (Source) user to a new (Target) user. This script can also be used to reapply permissions on a large scale basis
# using the 1:1 ratio, allowing control over what permissions may change between users.
# confirm:$false suppresses the confirmation for changes to an OU or DL. Otherwise this could be rather tedious.
[CmdletBinding()] Param ( [Parameter(Mandatory = $True, HelpMessage = "Logon name of source user")] [string]$Source, [Parameter(Mandatory = $True, HelpMessage = "Logon name of target user")] [string]$Target )
# Retrieve group memberships.
$SourceUser = Get-ADUser $Source -Properties memberOf, scriptpath, manager, Organization, Department, Company
$TargetUser = Get-ADUser $Target -Properties memberOf
# Determines what Logon, Manager, Email, Department, Company.
$Script = $SourceUser.scriptpath
$Manager =$SourceUser.Manager
$Company =$SourceUser.Company
$Organization = $SourceUser.Organization
$Department = $SourceUser.Department
#Change @DOMAIN.COM to be your domain address. Our usernames follow First Initial of the first Name + Last [email protected]. IE John Smith would be [email protected]
$Email = $Target + "@DOMAIN.COM"
# Hash table of source user groups.
$List = @{}
# Enumerate direct group memberships of source user.
ForEach ($SourceDN In $SourceUser.memberOf)
{
# Add this group to hash table.
$List.Add($SourceDN, $True)
# Bind to group object.
$SourceGroup = [ADSI]"LDAP://$SourceDN"
# Check if target user is already a member of this group.
If ($SourceGroup.IsMember("LDAP://" + $TargetUser.distinguishedName) -eq $False)
{
# Duplicates permissions from the Source user to the target user, and sets the following AD Fields: Login Script, Manager, Company, Organization, Department and Email address.
Add-ADGroupMember $SourceDN -Members $Target
}
}
# The below lines ensure that the user account is not locked out, and is enabled.
Enable-ADAccount -Identity $Target
Unlock-ADAccount -Identity $Target
Write-Output " "
Write-Output "Account is Unlocked and Enabled."
# Sets the Basic AD information, manager, company, login script, Orangization, Department, and Email Address
Set-ADUser $Target -ScriptPath $Script
Set-ADUSer $Target -Manager $Manager
Set-ADUser $Target -Company $Company
Set-ADUser $Target -Organization $Organization
Set-ADUser $Target -Department $Department
Set-ADUser $Target -EmailAddress $Email
# The below section will remove any group memberships that are not apart of the Source User that the Target user may be a part of. This trues up the permissions from the Source user to the Target User.
# Meaning only identical memberships will exist.
# Extremely useful if there is a need to confirm or reapply group memberships across an OU or Domain, while still using a precise 1:1 operation. As blanket operations generally have unintended consequences.
# Comment out everything below if this functionality is not required.
# Enumerate direct group memberships of target user.
ForEach ($TargetDN In $TargetUser.memberOf)
{
# Check if source user is a member of this group.
If ($List.ContainsKey($TargetDN) -eq $False)
{
# Source user not a member of this group.
# Remove target user from this group.
Remove-ADGroupMember $TargetDN $Target -confirm:$false
}
}