Summary: Learn how to use Windows PowerShell to create local Windows groups in this step by step Scripting Guy blog post.

 

Hey, Scripting Guy! QuestionHey, Scripting Guy! I have to create some local security groups on my Windows 2008 server. I want to use Windows PowerShell 1.0 because I have not upgraded Windows PowerShell 1.0 to Windows PowerShell 2.0. In fact, I am planning on upgrading the server to Windows 2008 R2 and I know that I will get Windows PowerShell 2.0 when that upgrade takes place. What do I have to do to create local security groups on my Windows 2008 Server?

-- AM

 

Hey, Scripting Guy! AnswerHello AM, Microsoft Scripting Guy Ed Wilson here. To create local security groups on your Windows Server 2008 server, you use the same procedure that you would use on a Windows 2000 computer, Windows XP workstation, Windows Server 2003 server or just about any other version of the Windows operating system. In fact, the script would probably even work on a Windows NT 4.0 or NT 3.51 computer. This is because the SAM based security groups are mature technology. I decided to take a look at the Windows PowerShell Scripting Guide book that I wrote for Microsoft Press, and excerpt a portion of one of the chapters in that most excellent book.

Portions of today’s post are excerpted from Ed Wilson’s Windows PowerShell Scripting Guide, Microsoft Press, 2008.

We may have to create local groups on a Windows machine to control access to local resources, such as a shared scanner, or printer. Local groups are also used in workgroup settings. These are still used in remote offices in many companies. There is a new group tool in the computer management toolkit.  This is seen in the following figure.

 

In the CreateLocalGroup.ps1 script we first use the param statement to define three parameters: -computer, -group and –help. We set the –computer parameter to the local machine by default. This line of code is seen here.

param($computer="localhost", $group, $help)

 

Next we define the funhelp function. The funhelp is a giant here-string, that is stored in the $helpText variable. Inside the here-string, we are free to ignore quoting rules, and to format the text the way that we want it to appear on the screen. We define the description of the script, the parameters, and the syntax. After we have defined these sections of the string, we then print the text of the $helpText variable, and exit the script. The funhelp function is seen here.

function funHelp()

{

$helpText=@"

DESCRIPTION:

NAME: CreateLocalGroup.ps1

Creates a local group on either a local or remote machine.

 

PARAMETERS:

-computer Specifies the name of the computer upon which to run the script

-group    Name of group to create

-help     prints help file

 

SYNTAX:

CreateLocalGroup.ps1

Generates an error. You must supply a group name

 

CreateLocalGroup.ps1 -computer MunichServer -group MyGroup

 

Creates a local group called MyGroup on a computer named MunichServer

 

CreateLocalGroup.ps1 -group Mygroup

 

Creates a local group called MyGroup on local computer

 

CreateLocalGroup.ps1 -help ?

 

Displays the help topic for the script

 

"@

$helpText

exit

}

 

If the $help variable is present then we will print the help text. This line is seen here.

if($help){ "Obtaining help ..." ; funhelp }

 

We also have to make sure that a group name is supplied to the script when it is run. If the $group variable is not present, then it was not supplied at run time. Therefore, we will generate an error by using the throw statement. This section is seen here.

if(!$group)

      {

       $(Throw 'A value for $group is required.

       Try this: CreateLocalGroup.ps1 -help ?')

        }

 

Finally we get to the main [ADSI] section of the script. It resembles the section that creates a local user. The difference is we create a group, instead of a user. The other difference is no password is required for a group. Other than that, the syntax is almost the same. This section is seen here.

$objOu = [ADSI]"WinNT://$computer"

$objUser = $objOU.Create("Group", $group)

$objUser.SetInfo()

$objUser.description = "Test Group"

$objUser.SetInfo()

 

The completed CreateLocalGroup.ps1 script is seen here.

CreateLocalGroup.ps1

param($computer="localhost", $group, $help)

 

function funHelp()

{

$helpText=@"

DESCRIPTION:

NAME: CreateLocalGroup.ps1

Creates a local group on either a local or remote machine.

 

PARAMETERS:

-computer Specifies the name of the computer upon which to run the script

-group    Name of group to create

-help     prints help file

 

SYNTAX:

CreateLocalGroup.ps1

Generates an error. You must supply a group name

 

CreateLocalGroup.ps1 -computer MunichServer -group MyGroup

 

Creates a local group called MyGroup on a computer named MunichServer

 

CreateLocalGroup.ps1 -group Mygroup

 

Creates a local group called MyGroup on local computer

 

CreateLocalGroup.ps1 -help ?

 

Displays the help topic for the script

 

"@

$helpText

exit

}

 

if($help){ "Obtaining help ..." ; funhelp }

 

if(!$group)

      {

       $(Throw 'A value for $group is required.

       Try this: CreateLocalGroup.ps1 -help ?')

        }

     

$objOu = [ADSI]"WinNT://$computer"

$objUser = $objOU.Create("Group", $group)

$objUser.SetInfo()

$objUser.description = "Test Group"

$objUser.SetInfo()

 

 

AM, that is all there is to using Windows PowerShell to create local groups. Local user week will continue tomorrow when I will talk about how to add users to groups.

I invite you to follow me on Twitter or Facebook. If you have any questions, send email to me at scripter@microsoft.com or post them on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

 

Ed Wilson, Microsoft Scripting Guy