Assign a Policy to All the Users in a Security Group

When it comes time to assign per-user policies, those of us here at Microsoft thought of everything. For example, if you take a look at the article Assigning Policies you’ll see how per-user policies can be assigned to a single user; to all the users with accounts in a specified OU; to all the users in a particular department; to all the users with a given job title; etc., etc., etc. Like we said, we thought of everything.


What’s that? How can you assign a policy to all the users in a particular security group? Hmmm, we never thought of that ….


OK, we admit it: we didn’t add a straightforward way to assign a policy to all the users in a security group. So does that mean that there’s no way to assign a policy to all the users in a security group? Let’s put it this way:


$strFilter = "(&(objectCategory=Group)(SamAccountName=" + $args[0] +"))"


$objDomain = New-Object System.DirectoryServices.DirectoryEntry


$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objDomain

$objSearcher.Filter = $strFilter

$objSearcher.SearchScope = "Subtree"


$colProplist = "member"

foreach ($i in $colPropList)

    {[void] $objSearcher.PropertiesToLoad.Add($i)}


$colResults = $objSearcher.FindAll()


foreach ($objResult in $colResults)

    {$objItem = $objResult.Properties; $group = $objItem.member}


foreach ($x in $group)


        Grant-CsClientPolicy $x -PolicyName $args[1]



Before we explain what this script does (although, by now, you can probably guess what it does) let’s explain how it works. Assuming you’ve copied this code and saved it as a .ps1 file (e.g., C:\Scripts\Assign-ToGroup.ps1) you run the thing by using a command similar to this:


C:\Scripts\Assign-ToGroup.ps1 "FinanceUsers" "FinanceClientPolicy"


In this command, FinanceUsers is the name of the security group we want to assign a policy to (in this example, we’re assigning a client policy). And which policy are we assigning? That’s the second parameter passed to the script; in this example, we’re assigning the client policy FinanceClientPolicy.


As for the script itself, the first thing it does is search Active Directory in order to find the specified security group. Once that’s done the script then uses this snippet of code to retrieve all the group members and store those users in a variable named $group:


$group = $objItem.member


From there the script takes the group members and, one-by-one, connects to the appropriate user account in Active Directory. The script retrieves the user’s display name (stored in the variable $z), then uses this line of code to assign FinanceClientPolicy to the user in question:


Grant-CsClientPolicy $z -PolicyName $args[1]


Like we said, $z is the user’s display name; meanwhile, $args[1] is a Windows PowerShell variable that references the second command-line argument passed to the script.


And that, as they say, is that.


Keep in mind that this script assigns a client policy to all the users in a security group, and a client policy is the only kind of policy it can assign. What if you want to assign, say, a voice policy to all the users in a security group? That’s fine; just search the script for the cmdlet name Grant-CsClientPolicy and replace it with Grant-CsVoicePolicy. That’s all you have to do.


Gee, maybe we did think of everything after all ….

Comments (5)
  1. CSPShell says:

    Hey Adi, Unfortunately no, we don't. It's something we plan on working on, we know this is something a lot of people would like, but there isn't an easy solution to this. But we'll take a look and as soon as we come up with something we'll post it.

  2. CSPShell says:

    Hey Garry,

    Thanks for the feedback! Always nice to hear we've managed to do something helpful. 🙂

  3. Garry Williams says:


    I just wanted to say a big thank you for this post! I am using the code above to bulk-enable users for Lync in a 4,500 user environment. By changing the command that is run at the end of the script I can enable users based on their membership of AD security groups and assign them to the appropriate regional Lync pool. I'm then using differtent versions of this script to disable certain modalities for groups of user operating with set-CsConferencingPolicy and Set-CsUser. It works a treat.

    Thanks a lot.


  4. alex says:

    Thanks a lot for the script, I was pretty shure it can be done somehow;  you save my time.

  5. Adi says:


    This script is very helpfull but do you have a solution if the security group changes by Removing users?

    What should we do then?



Comments are closed.

Skip to main content