Powershell – How to merge two AD groups


We have some sloppily created groups on our AD backend. We had a couple domains that were merged, and wound up with similar groups..

"Financial Aid"

etc… I want to consolidate these groups, without breaking everyone's network access.

Some folders were rganted permissions to one group, or another, and I'd like to do a global "find and replace permissions" sweep of folders on certain shares.


folder1 has full access to "Financial Aid"
folder2 has read for "FA"

I'd like to either make a new group:

folder1 has full access for "Financial_Aid"
folder2 has read for "Financial_Aid"

…or just "merge" one group into another:

folder1 has full access for "Financial Aid"
folder2 has read for "Financial Aid"

Any pointers? Not afraid to dig around in powershell or python, just curious if anyone has relevant links of seeing this done, and gotchas to watch out for…

Best Answer

Unfortunately, you're probably going to have to do a lot of this manually. File-system permissions and network-share permissions only store the SID of the group and the assigned permissions locally. The domain-controllers only tell servers who is in what group... and verify that a user is who they say they are.

What that means... is that you'll have to make permissions changes to EACH server directly... You might be able to script a lot of it using the command-line tool "cacls" for file-system permissions... and the "net share" commands to adjust share permissions... but ultimately, this is 100% less than ideal... and may end-up giving too many permissions to the wrong people.

Wouldn't now be a good time to start fresh and setup a new clean group... and put the appropriate users in those groups... and set sweeping permissions on the appropriate shares & files? That way, you can completely eliminate the "is betty-sue supposed to be able to access the Dean's personal documents" type situations.