Sergey Nivens - Fotolia

How to manage Active Directory groups with 7 PowerShell commands

Managing users, devices and other resources with Active Directory doesn't always require a GUI tool. Try PowerShell to streamline some of your administrative workload.

If you manage Active Directory with PowerShell, you can streamline your administrative approach to handling groups in the enterprise.

Active Directory is the foundation of the modern Windows environment that organizes the use of devices, users and resources. You can think of Active Directory as having two aspects: data -- users, groups, etc. -- and service -- sites, replication, etc.

Active Directory group administration can take a lot of time unless you learn to automate. In this tutorial, I'll concentrate on explaining how to manage Active Directory with PowerShell.

The Active Directory cmdlets don't yet work in PowerShell Core. You could use .NET classes to administer groups in PowerShell Core, but that is more difficult than working with cmdlets. This tutorial will explain how to use these cmdlets with Windows PowerShell.

Produce a proper setup for Active Directory groups

A group in Active Directory is a container for user or computer objects. A best practice is to have groups include either users or computers, but not both. Usually, a group is created to simplify the process of granting permissions, as this grants access to the group once rather than having to grant access many times to each individual user.

The following cmdlets provide the functionality needed to manage the full group lifecycle:

  • Get-ADGroup
  • New-ADGroup
  • Remove-ADGroup
  • Set-ADGroup

Group membership is managed by these cmdlets:

  • Add-ADGroupMember
  • Get-ADGroupMember
  • Remove-ADGroupMember

You can view the available groups with this command:

Get-ADGroup -Filter * | sort GroupScope | select Name, GroupCategory, GroupScope

The Get-* AD cmdlets require either the Identity or the Filter parameter. You can restrict the search to a specific organizational unit (OU) or container:

Get-ADGroup -Filter * -SearchBase 'CN=Users,DC=Manticore,DC=org' | sort GroupScope |  select Name, GroupCategory, GroupScope

The results are shown in the following screenshot:

Get-ADGroup cmdlet
Use the Filter parameter with the Get-ADGroup cmdlet to output results for a certain organizational unit.

Building a group with PowerShell commands for Active Directory

GroupCategory can be either Security -- a group to which permissions are assigned -- or Distribution, which is used for email distribution lists. As an Active Directory administrator, you normally deal with Security groups.

The GroupScope has three possible values:

  • Domain Local: Contains members from any domain in the AD forest but only applies to the domain in which it was created. A Domain Local group can be nested in Domain Local groups from the same domain.
  • Global: Contains members of the domain in which it was created and can be applied in any domain in the forest. A Global group can be nested in a Global group from the same domain or any Domain Local or Universal group.
  • Universal: Contains members of and applies to any domain in the Active Directory forest. It can be nested in any Domain Local or Global Group.
The Active Directory cmdlets don't yet work in PowerShell Core. You could use .NET classes to administer groups in PowerShell Core, but that is more difficult than working with cmdlets.

Creating a new group with PowerShell commands for Active Directory requires, at a minimum, the group name, category and scope:

New-ADGroup -Name SWStest1 -GroupCategory Security -GroupScope Global
Get-ADGroup -Identity SWStest1

DistinguishedName : CN=SWStest1,CN=Users,DC=Manticore,DC=org
GroupCategory     : Security
GroupScope        : Global
Name              : SWStest1
ObjectClass       : group
ObjectGUID        : b26c225e-9fe9-43c3-a2d4-362515389bae
SamAccountName    : SWStest1
SID               : S-1-5-21-759617655-3516038109-1479587680-1362

The group is created in the Users container. You can specify the OU for the group you're creating using the following commands:

New-ADGroup -Name SWStest2 -GroupCategory Security -GroupScope Global -Path "OU=UserGroups,DC=Manticore,DC=org"

New-ADGroup -Name SWStest3 -GroupCategory Security -GroupScope DomainLocal -Path "OU=UserGroups,DC=Manticore,DC=org"

You can specify other parameters, such as a display name or description, when you create the group using PowerShell commands for Active Directory. You can adjust those properties using Set-ADGroup, though you're more likely to use the cmdlet to change the group scope or category. You have a limited number of options when changing the group scope:

  • Domain Local: change to Universal
  • Global: change to Universal
  • Universal: change to Domain Local or Global

If you want to change a Domain Local group to a Global group, you have to do so via a Universal group:

Get-ADGroup -Identity SWSTest3 | Set-ADGroup -GroupScope Universal
Get-ADGroup -Identity SWSTest3 | Set-ADGroup -GroupScope Global
Get-ADGroup -Identity SWSTest3

DistinguishedName : CN=SWStest3,OU=UserGroups,DC=Manticore,DC=org
GroupCategory     : Security
GroupScope        : Global
Name              : SWStest3
ObjectClass       : group
ObjectGUID        : f4306a26-aaaa-478e-bfa6-f02a1dc15775
SamAccountName    : SWStest3
SID               : S-1-5-21-759617655-3516038109-1479587680-1366

The other aspect of working with groups is group membership management. You can add, get and remove group members.

You can add group members in bulk, assuming you can find the correct filters:

Get-ADUser -Filter {name -like 'Green*'} |
foreach {Add-ADGroupMember -Identity SWStest2 -Members $_}

Or you can add a single member:

Add-ADGroupMember -Identity SWStest2 -Members FredBrown

To view group membership, use the Get-ADGroupMember cmdlet:

Get-ADGroupMember -Identity SWStest2 | select name

name
----
GREEN Don
GREEN James
GREEN Jason
GREEN Jeff
GREEN Steve
GREEN Will
GREEN Dave
GREEN Bill
GREEN Mick
BROWN Fred
GREEN Fred

You also get the distinguished name and SamAccountName returned by default.

Let's add some users to another group:

Get-ADUser -Filter {name -like 'Fox*'} | foreach {Add-ADGroupMember -Identity SWStest3 -Members $_}

Then add a group:

Add-ADGroupMember -Identity SWStest3 -Members SWStest2

Use the following command to see the group's membership:

Get-ADGroupMember -Identity SWStest3

Then, you'll see the nested group shown as a group:

distinguishedName : CN=SWStest2,OU=UserGroups,DC=Manticore,DC=org
name              : SWStest2
objectClass       : group
objectGUID        : ff770df0-c416-45eb-b4f9-00ad39f7ea8d
SamAccountName    : SWStest2
SID               : S-1-5-21-759617655-3516038109-1479587680-1364

To see the full group membership, you need to search recursively through nested groups:

Get-ADGroupMember -Identity SWStest3 -Recursive | select name | format-wide -Column 3

Active Directory group membership
To see the full group membership with PowerShell, use the Get-ADGroupMember cmdlet.

Recursive search can break if you have too many levels of nested groups. I recommend rethinking your group management strategy if you need to nest beyond a few levels.

To remove a group member, it's just a matter of identifying the member:

Remove-ADGroupMember -Identity SWStest2 -Members FredBrown                                                        

Confirm
Are you sure you want to perform this action?
Performing the operation "Set" on target "CN=SWStest2,OU=UserGroups,DC=Manticore,DC=org".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

If you don't want to manually confirm the removal, use the Confirm parameter:

Remove-ADGroupMember -Identity SWStest2 -Members FredBrown -Confirm:$false

Use the following command to remove a whole group:

Remove-ADGroup -Identity SWStest3 -Confirm:$false

This command deletes the group, leaving the group members intact.

You'll also find three cmdlets for handling principal group membership. Rather than the group perspective, they work from the user standpoint, such as the groups a user is in.

Get-Command -Module ActiveDirectory *ADPrincipalGroupMembership* |
select name

Name
----
Add-ADPrincipalGroupMembership
Get-ADPrincipalGroupMembership
Remove-ADPrincipalGroupMembership 

To view the principal group for a user, use this command:

Get-ADPrincipalGroupMembership -Identity FredBrown

distinguishedName : CN=Domain Users,CN=Users,DC=Manticore,DC=org
GroupCategory     : Security
GroupScope        : Global
name              : Domain Users
objectClass       : group
objectGUID        : 645b85eb-84d1-4046-a052-46f0eee004f1
SamAccountName    : Domain Users
SID               : S-1-5-21-759617655-3516038109-1479587680-513

This user is only a member of the default domain users group. If the user is a member of multiple groups, default or otherwise, the command shows all of the user's memberships:

Get-ADPrincipalGroupMembership -Identity MickGreen

distinguishedName : CN=Domain Users,CN=Users,DC=Manticore,DC=org
GroupCategory     : Security
GroupScope        : Global
name              : Domain Users
objectClass       : group
objectGUID        : 645b85eb-84d1-4046-a052-46f0eee004f1
SamAccountName    : Domain Users
SID               : S-1-5-21-759617655-3516038109-1479587680-513 

distinguishedName : CN=SWStest2,OU=UserGroups,DC=Manticore,DC=org
GroupCategory     : Security
GroupScope        : Global
name              : SWStest2
objectClass       : group
objectGUID        : ff770df0-c416-45eb-b4f9-00ad39f7ea8d
SamAccountName    : SWStest2
SID               : S-1-5-21-759617655-3516038109-1479587680-1364

The last cmdlet is Get-ADAccountAuthorizationGroup, which retrieves the security groups from the specified user, computer or service accounts token. The results will include all groups, such as Everyone, that are managed automatically:

Get-ADAccountAuthorizationGroup -Identity MickGreen | select name

name
----
Domain Users
Everyone
Users
Pre-Windows 2000 Compatible Access
Authenticated Users
This Organization
SWStest2
Service asserted identity
Medium Mandatory Level

You will use the *-ADGroup and *-ADGroupMembership cmdlets for most of your administrative efforts. It's very rare that you'll need to use the other cmdlets mentioned in this tip.

Next Steps

25 basic PowerShell commands for Windows administrators

PowerShell 7 features admins should examine

Dig Deeper on Windows Server OS and management