Learn about Windows PowerShell
Summary: Create security groups in targeted organizational units in Active Directory.
Hey, Scripting Guy!
I was wondering if you could please show me how to use Windows PowerShell to create some security groups inside a set of organizational units in Active Directory. Is it difficult?
Honorary Scripting Guy, Sean Kearney here, filling in for our good friend, Ed.
To catch up on the first parts in this series, please read:
In Windows Server 2012 R2 or Windows Server 2008 R2, creating security groups got far easier with built-in cmdlets for Active Directory. In Part 2 of this series, I introduced you to the New-ADOrganizationalUnit cmdlet. Today we’re going to the see the New-ADGroup cmdlet in action!
In our demo Active Directory, our next task is to create some security groups. We’re going to keep this simple and effective. We’re going to place a security group that is based on the division and location in the final branch of each structure.
Let’s take a look at our variables for divisions and cities:
Now I’m going to have each group based on the CityOU name and the DivisionOU name. We’re going to concatenate each one, separated by a hyphen. We’ll use a simple loop that will accomplish the following:
First we’ll build the group name and ensure that any blank spaces are removed:
$GroupName=$City.replace(" ","")+"-"+$Division.replace(" ","")
Then we build the group’s description:
$GroupDescription="$Division in $City Access Group"
I plan on using this particular set of instructions later when I populate users based on city and division, so I’m going to make this into a simple function:
# Return the Results (This is a feature new to version 3)
Now we’ll take our original script to populate the organizational units and insert our new code to not only build a security group, but also populate it within targeted sections of our demo Active Directory environment:
NEW-ADOrganizationalUnit -name $BaseOU -path $Domain
# Gather through list of Cities
Foreach ($City in $CityOU)
# Create OU for City
NEW-ADOrganizationalUnit -path $CompanyPath -name $City
# Gather through list of Divisions
Foreach($Division in $DivisionOU)
# Create Division within City
NEW-ADOrganizationalUnit -path "OU=$City,$CompanyPath" -name $Division
# Create Group within Division and Description
$GroupData=GET-GroupInfo -City $City -Division $Division
NEW-ADGroup -name $GroupName -GroupScope Global -Description `
$GroupDescription –Path "OU=$Division,OU=$City,$CompanyPath"
Neat, eh? So with some basic variables, we now have a now simple Active Directory structure with built-in security groups! Next, I think we might need some users. For that, pop-in tomorrow when I will show you how with only 15 male and female names, I can build as large a demo environment as you could ever want in Active Directory!
See you tomorrow!
I invite you to follow the Scripting Guys on Twitter and Facebook. If you have any questions, send email to firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Sean Kearney, Honorary Scripting Guy andWindows PowerShell MVP
Nice sample. Thanks for sharing
The really cool part is when you pull all of the pieces together and can just spin up Demo AD Structures on the fly. Makes it easier to "Play" with a structure that has a pile of "Real" data in it. Without this I was going "Right Click, New etc etc etc" and wondering where the day went.
Not anymore thanks to PowerShell
I am trying to follow the lab exercise until now but i am not a pro scripter.
Missing something in the last statement when I try to launch the script.
On the last line it keeps telling me unexpected token, and I am not able to run the script.
I have tried to put a = between and use other brackets but structure is there but not the groups.
Copied and pasted every little part from your writing in a file but cant get the groups to function. its building the structure that is not the problem.
Hope you can provide me with the answer.