Or how to use the dsquery/dsget/dsmod commands to copy all the members from an
Active Directory group (source), to another one (destination).

If, like me, you are on a neverending quest to click less and script more, you can solve the problem this way:

  • Create the destination group, should it not exist.
  • Find the source group’s DN:
    >dsquery group -samid sourcegroup

    -samid” argument is the group name whose DN you’re looking for. You can use “*” as a wildcard.

  • Ditto for the destination group:
    >dsquery group -samid destinationgroup
  • On with the copy itself:
    >dsget group "CN=sourcegroup,OU=Groups,DC=contoso,DC=com" -members -expand | dsmod group "CN=destinationgroup,OU=Groups,DC=contoso,DC=com" -addmbr -c
    dsmod succeeded:CN=destinationgroup,OU=Groups,DC=contoso,DC=com

    These are two commands: “dsget group” and “dsmod group“. Output from the first is piped to the second. “-members” causes the group members’ DNs to be listed on standard output (one by line, quoted). “-expand” makes dsget to recursively expand the sub-groups that sourcegroup may hold.
    Conversely, dsmod modifies destinationgroup adding members to it.
    Very cool, so far. The only caveat is that the “-c” switch doesn’t work as advertised. It should copy members over destinationgroup even if already exist, but it doesn’t. If you need to re-sync source and dest, delete source’s contents from dest.

Bonus note; here’s a quick way to discover a user’s DN given his username:

>dsquery user -samid jdoe
"CN=John Doe,CN=Users,DC=contoso,DC=com"