Hey, Scripting Guy! Can I Use Windows PowerShell to Manage AD DS Security Groups?

Hey, Scripting Guy! Can I Use Windows PowerShell to Manage AD DS Security Groups?

  • Comments 10
  • Likes

Bookmark and Share

 

Hey, Scripting Guy! Question

Hey, Scripting Guy! I am a MCSE and I still remember my instructor at the training center running around the room shouting, “Users go into groups, and groups get assigned rights and permissions.” Over and over again in different manners and in different language, but always with the same intent, he kept repeating the same mantra. I could not get that phrase out of my head, which was a good thing when it came time to take the exam. My network is therefore organized in such a way that I make extensive use of security groups. My question is this: Is there a way I can use Windows PowerShell to create and manage security groups in Active Directory Domain Services (AD DS)?

-- DM

 

Hey, Scripting Guy! AnswerHello DM,

Microsoft Scripting Guy Ed Wilson here. I was up late last night reading Homer's Odyssey, and therefore I did not spring from my slumber with my normal Scripting Guy exuberance. I therefore added an extra scoop of English Breakfast tea leaves to my pot before heading up to the Scripting Guy command center. There were several cool tweets on Twitter that needed responses, and with Deep Purple cranked up so loud on my Zune HD that the Venetian blinds were actually rattling, I dove into the scripter@microsoft.com inbox.

Your mail brought back fond memories of Cincinnati where I used to teach the class for the Microsoft NT 4.0 Server in the Enterprise Exam 70-068. (I contributed to a study guide for that exam—one of my first projects as a writer.) Speaking of Cincinnati, I found the following picture of the Cincinnati Tyler Davidson Fountain that I took a few years ago when I was teaching a VBScript class at the Microsoft Office there.

Image of Tyler Davidson Fountain

 

DM, let us now get started. To create a new global security group, use the New-ADGroup Windows PowerShell AD DS cmdlet. The New-ADGroup Windows PowerShell cmdlet requires three parameters: the name of the group, a path to the location where the group will be stored, and the groupscope (global, universal, or domainlocal). Before running the command seen here, remember you must import the ActiveDirectory module into your current Windows PowerShell session. For more information about working with the ActiveDirectory module, see Monday’s Hey, Scripting Guy! Blog post.

New-ADGroup -Name hsgTestGroup -Path "ou=HSG_TestOU,dc=nwtraders,dc=com" -groupScope global

The newly created group is seen in the following image.

Image of newly created group

 

To create a new universal group, you only need to change the groupscope parameter value, as seen here.

New-ADGroup -Name hsgTestGroup1 -Path "ou=HSG_TestOU,dc=nwtraders,dc=com" -groupScope universal

The newly created universal group is seen in Active Directory Users and Computers, as shown in the following image.

Image of newly create universal group

 

To add a user to a group, you must supply values for the identity parameter and the members parameter. The value you use for the identity parameter is the name of the group. You do not need to use the LDAP syntax of cn=groupname. You need only to supply the name. In examining the LDAP attributes for a group in ADSI Edit, as seen in the following image, you can obtain the needed value from several fields.

Image of LDAP attributes for a group in ADSI Edit

 

It is a bit unusual that the -members parameter is named members and not member because most Windows PowerShell cmdlet parameter names are singular and not plural. The parameters are singular even when they accept an array of values (such as the computername parameter). The command to add a new group named hsgTestGroup1 to the hsgUserGroupTest group is seen here:

Add-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest

To remove a user from a group, use the Remove-ADGroupMember cmdlet with the name of the user and group. The identity and members parameters are required, but the command will not execute without confirmation, as seen here:

PS C:\> Remove-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest

Confirm
Are you sure you want to perform this action?
Performing operation "Set" on Target "CN=hsgTestGroup1,OU=HSG_TestOU,DC=NWTraders,DC=Com".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
PS C:\>

If you are sure that you wish to remove the user from the group and you wish to suppress the query, use the –confirm parameter and assign the value $false to it. The problem is you will need to supply a colon between the parameter and $false value.

The use of the colon before the –confirm parameter is not documented, and took me more than two hours of experimentation to figure out. I also did extensive searches on Bing and was unable to find anything.

The command is seen here:

Remove-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest -Confirm:$false

You need the ability to suppress the confirmation prompt to be able to use the Remove-ADGroupMember cmdlet in a script. The first thing the RemoveUserFromGroup.ps1 script does is load the activedirectory module. After the module is loaded, the Remove-ADGroupMember cmdlet is used to remove the user from the group. To suppress the confirmation prompt, the –confirm:$false command is used. The RemoveUserFromGroup.ps1 script is seen here.

RemoveUserFromGroup.ps1

import-module activedirectory

Remove-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest -Confirm:$false

DM, that is all there is to working with Groups in Active Directory. Active Directory Week will continue tomorrow.

If you want to know exactly what we will be looking at tomorrow, follow us on Twitter or FaceBook. If you have any questions, send e-mail to us at scripter@microsoft.com or post them on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

 

Ed Wilson and Craig Liebendorfer, Scripting Guys 

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Cheers, that -Confirm:$false is an odd one! but I needed this to completely automate a script I was writing!

  • It tells me that New-Adgroup is not a vaild command

    i tryed Create New-ADGroup -Name hsgTestGroup -Path "ou=HSG_TestOU,dc=nwtraders,dc=com" -groupScope global changeing the domain to my own values of course. But its says that thats not it. what do you put before this.

  • The term 'New-ADGroup' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, ve

    rify that the path is correct and try again.

  • how can i add that to a PS script? for example: Add-ADGroupMember -Identity GroupA -Members GroupB. the goal is to add it to a task so it can continuously check for new groups

  • this works great doing it one at a time, but I am trying to remove several users from a group I am doing this and it will not work> Have any ideas?

    $Members = import-csv "C:\Scripts\PowerShell\AD\Bulk Remove Users from group\Users.csv"

    ForEach ($user in $Members)

    {

    Remove-ADGroupMember -Identity OCS_Users_06653 -Members $members.user -Confirm:$false

    }

    My CSV file is simply a list of users with the SAMACCOUNTNAME

  • Phil -

    For Each who in what?  I think you have it backwards - or inverted - anyway it doesn't read right.

    HELP Import-Csv -Examples

  • Remove-ADGroupMember -Identity OCS_Users_06653 -Members $members.user -Confirm:$false

    should be:

    Remove-ADGroupMember -Identity OCS_Users_06653 -Members $user.SAMACCOUNTNAME -Confirm:$false

    assuming SAMACCOUNTNAME is the header in the CSV file.

    Regards,

  • Hello,

    so trying to use Add-ADGroupMember to add a user to a Universal group in a different domain. If I use -server $DC1 it can't find the user, and if I use -server $DC2 it can't find the group.

    Any thoughts would be appreciated,

  • Could a comment be added listing the illegal characters in a group name? And maybe How to replace them for those who do not know.

  • thanks