Group Management in Active Directory can be improved by using PowerShell. This time I want to explain the basic ADGroup cmdlets.
ADGroup Cmdlets are used for: – creating new groups – showing groups and their attributes – changing groups’ attributes
AD PowerShell Basics
In this little series I want to introduce the most common Active Directory PowerShell cmdlets. You will be surprised how easy the basics of AD PowerShell are. With little effort and a minimum of source code you can read a huge amount of information and write data into the AD. The most important cmdlets are:
New-ADUser Get-ADUser Set-ADUser New-ADGroup, Get-ADGroup, Set-ADGroup
Index
New-ADGroup Cmdlet
This part of the article is about the cmdlet New-ADGroup. You can easily create new groups in Active Directory using this cmdlet.
In contrast to cmdlet “New-ADUser” the cmdlet needs more than just one attribute. Name and GroupScope of the new group are mandatory. GroupScope gives you information about group type:
- Domain local
- Global
- Universal
And this is how it looks:
New-ADGroup -Name all_testusers -GroupScope Global
If you run this in Powershell you will get a new group named all_testusers with the GroupScope Global.
But that would be the only information the group has so far:
- The cmdlet creates a security group automatically
- There are no attributes filled
- There is no manager set
Usually that group gets stored in the „standard“ user container. But you shouldn’t leave the group at that place.
Adding Group Category and Target OU
In the next step you want to add some further information. It’s not mandatory, but you definitely should do so when working with Active Directory. You could add the following parameter for instance:
New-ADGroup -Name All_testusers -GroupScope Global -GroupCategory Distribution -Path “OU=Testgroups,DC=Company,DC=Com”
Here you set a distribution list and the group’s OU. This way you can fill almost all attributes of a group.
New-ADUser: Bulk Import of Users
So far so good. Compared to the “click-creation” of user accounts in Users and Computers it seems to be easier to create groups by clicking. PowerShell and New-ADGroup become interesting when you want to create many groups at the same time. All you need is a single input file.
It is best to use a CSV file – separated by semicolon. Create a simple Excel spreadsheet with the columns Name, GroupScope, Groupcategory etc.
Detailed information about the bulk import of users can be found here: New-ADUser: Mass import of AD User.
Get-ADGroup Cmdlet
The next part of this article is about the cmdlet Get-ADGroup. It helps you getting information about the attributes of existing groups in your Active Directory.
Just like with the Get-ADUser cmdlet you just need the group identity to run the cmdlet successfully. This could be sAMAccountName. It looks like this:
Now you have all the information about the group All_testusers. It looks just like this:
Installing Filters
If you don’t know the sAMAccountname or want to search for more than one group, you can use a filter.
You can use filters for a lot of different tasks. Use them by adding the parameter “-filter” to the command line. You can also search for certain attributes with the same means.
Group filters strongly resemble user filters. Here you find more information on searching attributes of users. This applies to groups as well.
Export data
If you are searching for a big number of groups the PowerShell output is maybe a bit hard to understand. But as soon as you export it, everything is clear at once. You just have to go through an easy-to-read .csv file by using “export-csv“.
Get-ADGroup –Filter * -Searchbase „OU=Testuser,DC=Company,DC=Com“ | export-csv „c:\test\export.csv“
The exported data looks like this in the .csv file:
Set-ADGroup cmdlet
The third part of the article is about the Set-ADGroup cmdlet. This cmdlet helps you changing attributes of Active Directory groups. It works best if you combine it with Get-ADGroup.
If you want to set or change a description it looks like this:
Set-ADGroup All_testusers –Description “Distribution lists for all test users”
By editing the description, you can change more than one attribute with a single command. Type in all the attributes one after another.
Get-ADGroup and Set-ADGroup combined
Set-ADGroup becomes very handy in combination with Get-ADGroup. You can read all the groups you want to change. This works as easy as described in the Get-ADUser article. After reading the group information you can use a pipe ( | ) to Set-ADGroup to change the attribute of all groups. It is exactly the same with more than one attribute. Just add an additional line.
Get-ADGroup –Filter {Name -like “*Test*”} | Set-ADGroup -Description “groups for tests”
Now you have adjusted the description of all groups that have “Test” in their names.
Change Group Attributes per Import
You can change the attributes also by importing a .csv file. The main advantage is that you are able to fill in the same attribute with different values for more than one group. This can be manager and description. You can find more detailed information on that cmdlet in the article Set-ADUser.
Quick AD User Management without PowerShell
As soon as you have created the groups you can create and manage the user accounts easily as well. Just try our FirstWare IDM-Portal:
- Quick AD administration
- AD Delegation
- AD Self service and more…
(There is also a ProEdition in case you want to go on with your own PowerShell scripts).
If you seek competence and advice, please contact us.
FirstAttribute AG – Microsoft Consulting Partner for Migration and Active Directory
Leave a Reply
<p>Your email is safe with us.<br/>Information about our <a href="https://activedirectoryfaq.com/contact-us/">data protection policies</a></p>