Group Management in Active Directory can be eased by using PowerShell. This time I want to explain the basic ADGroup cmdlets.
ADGroup Cmdlets are used for:
– creating new groups
– showing groups and their attributes
– changing groups’ attributes
AD PowerShell Basics
In this little series I want to introduce the most common Active Directory PowerShell cmdlets. You will be surprised how easy the basics of AD PowerShell are. At little effort and a minimum of source code you can read a huge amount of information and write data into the AD. The most important cmdlets are:
This part of the article is about the cmdlet New-ADGroup.
You can easily create new groups in Active Directory using this cmdlet.
In contrast to cmdlet “New-ADUser” the cmdlet needs more than just one attribute. Name and GroupScope of the new group are mandatory. GroupScope gives you information about group type:
- Domain local
And this is how it looks:
If you run this in Powershell you will get a new group named all_testusers with the GroupScope Global.
But that would be the only information the group has so far:
- The cmdlet creates a security group automatically
- There are no attributes filled
- There is no manager set
Usually that group gets stored in the „standard“ user container. But you shouldn’t leave the group at that place.
Adding Group Category and Target OU
In the next step you want to add some further information. It’s not mandatory, but you definitely should do so when working with Active Directory. You could add the following parameter for instance:
In this you set a distribution list and the group’s OU. This way you can fill almost all attributes of a group.
New-ADUser: Bulk Import of Users
So far so good. Compared to the “click-creation” of user accounts in Users and Computers it seems to be easier to create groups by clicking. PowerShell and New-ADGroup become interesting when you want to create many groups at the same time. All you need is a single input file.
It is best to use a CSV file – separated by semicolon. Create a simple Excel spreadsheet with the columns Name, GroupScope, Groupcategory etc.
Detailed information about the bulk import of users can be found here: New-ADUser: Mass import of AD User.
The next part of this article is about the cmdlet Get-ADGroup.
It helps you getting information about the attributes of existing groups in your Active Directory.
Just like with the Get-ADUser cmdlet you just need the group identity to run the cmdlet successfully. This could be sAMAccountName. It looks like this:
Now you have all the information about the group All_testusers. It looks just like this:
If you don’t know the sAMAccountname or want to search for more than one group, you can use a filter.
You can use filters for a lot of different tasks. Use them by adding the parameter “-filter” to the command line. You can also search for certain attributes with the same means.
Group filters strongly resemble user filters. Here you find more information on searching attributes of users. This applies to groups as well.
If you are searching for a big number of groups the PowerShell output is maybe a bit hard to understand. But as soon as you export it, everything is clear at once. You just have to go through an easy-to-read .csv file by using “export-csv“.
The exported data looks like this in the .csv file:
The third part of the article is about the Set-ADGroup cmdlet.
This cmdlet helps you changing attributes of Active Directory groups. It works best if you combine it with Get-ADGroup.
If you want to set or change a description it looks like this:
By editing the description, you can change more than one attribute with a single command. Type in all the attributes one after another.
Get-ADGroup and Set-ADGroup combined
Set-ADGroup becomes very handy in combination with Get-ADGroup. You can read all the groups you want to change. This works as easy as described in the Get-ADUser article. After reading the group information you can use a pipe ( | ) to Set-ADGroup to change the attribute of all groups. It is exactly the same with more than one attribute. Just add an additional line.
Now you have adjusted the description of all groups that have “Test” in their names.
Change Group Attributes per Import
You can change the attributes also by importing a .csv file. The main advantage is that you are able to fill in the same attribute with different values for more than one group. This can be manager and description. You can find more detailed information on that cmdlet in the article Set-ADUser.
Quick AD User Management without PowerShell
As soon as you have created the groups you can create and manage the user accounts easily as well. Just try our free FirstWare IDM-Portal FreeEdtion:
- Quick AD administration
- AD Delegation
- AD Self service uvm.
(There is also a ProEdition in case you want to go on with your own PowerShell scripts)