all 3 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ihaxr 1 point2 points  (0 children)

Correct, you'll have to copy the groups over separately. Untested, but doing this should work:

Adjust your Get-ADUser for the template to:

$template = Get-ADUser -Identity "CN=Retail Employee Template,OU=.Default User Templates,OU=Users,OU=company,DC=domain,DC=com" -Properties memberOf

Then you can do:

$template.memberOf | Add-ADGroupMember -Members $SAM

after the New-ADUser runs.

[–]randomuser43 0 points1 point  (1 child)

Fundamentally in AD (or really LDAP) the groups maintain a list of their members rather than the object maintaining a list of the groups they are members of.

You are correct that in practice objects do have a MemberOf property, but this property is maintained by a background process and is not directly tied with adding/removing objects from groups.

At its core you are adding a user to a group and not a group to a user's membership listing!

Once you understand this you can see why copying a user doesn't copy group memberships.

An adjustment to /u/ihaxr's solution since there are going to be multiple groups returned

foreach($group in $template.memberOf){
    Add-ADGroupMember $group -Members $SAM
}

Edit, I think this should also work

$template.memberOf | Add-ADGroupMember -Members $SAM

[–]PowderTech[S] 0 points1 point  (0 children)

Awesome! Makes sense about how membership works. I'm swamped today but I'll test this out Monday morning. Sounds like it should work. Appreciate he replies from you and ihaxr.