How to manage Active Directory groups with 7 PowerShell commands
Managing users, devices and other resources with Active Directory doesn't always require a GUI tool. Try PowerShell to streamline some of your administrative workload.
If you manage Active Directory with PowerShell, you can streamline your administrative approach to handling groups in the enterprise.
Active Directory is the foundation of the modern Windows environment that organizes the use of devices, users and resources. You can think of Active Directory as having two aspects: data -- users, groups, etc. -- and service -- sites, replication, etc.
Active Directory group administration can take a lot of time unless you learn to automate. In this tutorial, I'll concentrate on explaining how to manage Active Directory with PowerShell.
The Active Directory cmdlets don't yet work in PowerShell Core. You could use .NET classes to administer groups in PowerShell Core, but that is more difficult than working with cmdlets. This tutorial will explain how to use these cmdlets with Windows PowerShell.
Produce a proper setup for Active Directory groups
A group in Active Directory is a container for user or computer objects. A best practice is to have groups include either users or computers, but not both. Usually, a group is created to simplify the process of granting permissions, as this grants access to the group once rather than having to grant access many times to each individual user.
The following cmdlets provide the functionality needed to manage the full group lifecycle:
Get-ADGroup
New-ADGroup
Remove-ADGroup
Set-ADGroup
Group membership is managed by these cmdlets:
Add-ADGroupMember
Get-ADGroupMember
Remove-ADGroupMember
You can view the available groups with this command:
The Get-* AD cmdlets require either the Identity or the Filter parameter. You can restrict the search to a specific organizational unit (OU) or container:
The results are shown in the following screenshot:
Use the Filter parameter with the Get-ADGroup cmdlet to output results for a certain organizational unit.
Building a group with PowerShell commands for Active Directory
GroupCategory can be either Security -- a group to which permissions are assigned -- or Distribution, which is used for email distribution lists. As an Active Directory administrator, you normally deal with Security groups.
The GroupScope has three possible values:
Domain Local: Contains members from any domain in the AD forest but only applies to the domain in which it was created. A Domain Local group can be nested in Domain Local groups from the same domain.
Global: Contains members of the domain in which it was created and can be applied in any domain in the forest. A Global group can be nested in a Global group from the same domain or any Domain Local or Universal group.
Universal: Contains members of and applies to any domain in the Active Directory forest. It can be nested in any Domain Local or Global Group.
The Active Directory cmdlets don't yet work in PowerShell Core. You could use .NET classes to administer groups in PowerShell Core, but that is more difficult than working with cmdlets.
Creating a new group with PowerShell commands for Active Directory requires, at a minimum, the group name, category and scope:
New-ADGroup -Name SWStest1 -GroupCategory Security -GroupScope Global Get-ADGroup -Identity SWStest1
DistinguishedName : CN=SWStest1,CN=Users,DC=Manticore,DC=org GroupCategory : Security GroupScope : Global Name : SWStest1 ObjectClass : group ObjectGUID : b26c225e-9fe9-43c3-a2d4-362515389bae SamAccountName : SWStest1 SID : S-1-5-21-759617655-3516038109-1479587680-1362
The group is created in the Users container. You can specify the OU for the group you're creating using the following commands:
New-ADGroup -Name SWStest2 -GroupCategory Security -GroupScope Global -Path "OU=UserGroups,DC=Manticore,DC=org"
You can specify other parameters, such as a display name or description, when you create the group using PowerShell commands for Active Directory. You can adjust those properties using Set-ADGroup, though you're more likely to use the cmdlet to change the group scope or category. You have a limited number of options when changing the group scope:
Domain Local: change to Universal
Global: change to Universal
Universal: change to Domain Local or Global
If you want to change a Domain Local group to a Global group, you have to do so via a Universal group:
To see the full group membership with PowerShell, use the Get-ADGroupMember cmdlet.
Recursive search can break if you have too many levels of nested groups. I recommend rethinking your group management strategy if you need to nest beyond a few levels.
To remove a group member, it's just a matter of identifying the member:
Confirm Are you sure you want to perform this action? Performing the operation "Set" on target "CN=SWStest2,OU=UserGroups,DC=Manticore,DC=org". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
If you don't want to manually confirm the removal, use the Confirm parameter:
Use the following command to remove a whole group:
Remove-ADGroup -Identity SWStest3 -Confirm:$false
This command deletes the group, leaving the group members intact.
You'll also find three cmdlets for handling principal group membership. Rather than the group perspective, they work from the user standpoint, such as the groups a user is in.
Get-Command -Module ActiveDirectory *ADPrincipalGroupMembership* | select name
Name ---- Add-ADPrincipalGroupMembership Get-ADPrincipalGroupMembership Remove-ADPrincipalGroupMembership
To view the principal group for a user, use this command:
distinguishedName : CN=Domain Users,CN=Users,DC=Manticore,DC=org GroupCategory : Security GroupScope : Global name : Domain Users objectClass : group objectGUID : 645b85eb-84d1-4046-a052-46f0eee004f1 SamAccountName : Domain Users SID : S-1-5-21-759617655-3516038109-1479587680-513
This user is only a member of the default domain users group. If the user is a member of multiple groups, default or otherwise, the command shows all of the user's memberships:
distinguishedName : CN=Domain Users,CN=Users,DC=Manticore,DC=org GroupCategory : Security GroupScope : Global name : Domain Users objectClass : group objectGUID : 645b85eb-84d1-4046-a052-46f0eee004f1 SamAccountName : Domain Users SID : S-1-5-21-759617655-3516038109-1479587680-513
distinguishedName : CN=SWStest2,OU=UserGroups,DC=Manticore,DC=org GroupCategory : Security GroupScope : Global name : SWStest2 objectClass : group objectGUID : ff770df0-c416-45eb-b4f9-00ad39f7ea8d SamAccountName : SWStest2 SID : S-1-5-21-759617655-3516038109-1479587680-1364
The last cmdlet is Get-ADAccountAuthorizationGroup, which retrieves the security groups from the specified user, computer or service accounts token. The results will include all groups, such as Everyone, that are managed automatically:
Get-ADAccountAuthorizationGroup -Identity MickGreen | select name
name ---- Domain Users Everyone Users Pre-Windows 2000 Compatible Access Authenticated Users This Organization SWStest2 Service asserted identity Medium Mandatory Level
You will use the *-ADGroup and *-ADGroupMembership cmdlets for most of your administrative efforts. It's very rare that you'll need to use the other cmdlets mentioned in this tip.
