Create and Manage Users and Groups in Active Directory
- 6/29/2015
- Create users
- Create and manage groups
- Create and manage OUs
- Summary
Create and manage groups
Use the ADGroup set of cmdlets to create, delete, modify, or list Active Directory groups, and either the ADGroupMember set of cmdlets or the ADPrincipalGroupMembership set of cmdlets to add, remove, and list the members of an Active Directory group. By using the ADGroupMember cmdlets, you add or remove one or more users, groups, service accounts, or computers to or from a group, whereas with the ADPrincipalGroupMembership cmdlets you add or remove a user, group, service account, or computer to or from one or more groups. Or, to try to make that a little clearer—if you want to add many objects into one group, use Add-ADGroupMember, but if you want to add one object into many groups, use Add-ADPrincipalGroupMembership. Or you can ignore one or the other set of cmdlets and use looping to accomplish the same thing, as I did earlier when I added the user Charlie into multiple groups by using the Add-ADGroupMember cmdlet and a ForEach loop.
In AD DS, two types of groups are supported: security groups and distribution groups. And there are three scope levels for each: Domain Local, Global, and Universal. To demonstrate how these cmdlets work, let’s create a new group, Accounting Users, as a security group with Universal scope, and add a couple of users to the group. Then we’ll search to get a list of users in the group, by using both standard Windows PowerShell filtering and LDAP filtering.
Create a new group
Creating a new group is easy and uses the same basic techniques as creating a new user. The difference is that there are far fewer properties and parameters to creating a new group. For example, use the following command to create a new security group called Accounting Users and give that group Universal scope.
New-ADGroup -Name 'Accounting Users’ `
-Description 'Security Group for all accounting users’ `
-DisplayName 'Accounting Users’ `
-GroupCategory Security `
-GroupScope Universal `
-SAMAccountName 'AccountingUsers’ `
-PassThru
The results of this command are shown in Figure 3-3. Notice that even though we didn’t specify the full path where we wanted to create the Accounting Users group, Windows PowerShell defaulted to putting the group in the Users container. To override that default, specify the Path parameter. Windows PowerShell will use the default container for your domain if you don’t specify a path.
)
Figure 3-3 Adding a new AD DS security group
Add users to a group
Let’s start by adding a couple of members to the Accounting Users group we just created. For this, because we’re adding multiple users to a single group, we’ll use the Add-ADGroupMember cmdlet.
Add-ADGroupMember has the following syntax.
Add-ADGroupMember [-Identity] <ADGroup> [-Members] <ADPrincipal[]>
[-AuthType {Negotiate | Basic}] [-Credential PSCredential>]
[-Partition <String>] [-PassThru] [-Server <String>]
[-Confirm] [-WhatIf] [<CommonParameters>]
The Identity parameter accepts a Distinguished Name (DN), GUID, security identifier (SID) or SAM account name to identify which group you want to add members to. The Members parameter accepts an array of new members that you want to add to the group. The new members can be identified by the same methods as the group identifier, but the parameter also accepts user, computer, and group object variables that identify the members to be added. You cannot, however, pass objects to Add-ADGroupMember through the pipeline.
To add Dave R. Guy and Stanley T. Behr to the Accounting Users group, use the following command.
Add-ADGroupMember -Identity AccountingUsers -Members Dave,Stanley -PassThru
DistinguishedName : CN=Accounting Users,CN=Users,DC=TreyResearch,DC=net GroupCategory : Security GroupScope : Universal Name : Accounting Users ObjectClass : group ObjectGUID : d4629307-b10f-4342-80a5-e192d430bf8c SamAccountName : AccountingUsers SID : S-1-5-21-910751839-3601328731-670513855-1137
To verify that the members were added, because the PassThru parameter doesn’t really help with that, use the Get-ADGroupMember cmdlet.
Get-ADGroupMember -Identity AccountingUsers
distinguishedName : CN=Stanley Behr,CN=Users,DC=TreyResearch,DC=net name : Stanley Behr objectClass : user objectGUID : 17527a2f-2710-49d7-ad6d-ce6342bb8c63 SamAccountName : Stanley SID : S-1-5-21-910751839-3601328731-670513855-1131 distinguishedName : CN=David Guy,CN=Users,DC=TreyResearch,DC=net name : David Guy objectClass : user objectGUID : 93534ac0-bbd4-4a29-aae0-470b8e604b18 SamAccountName : Dave SID : S-1-5-21-910751839-3601328731-670513855-1129
Manage groups
Now, let’s take this a bit further. Let’s create another new security group for management. We’ll call the group Managers, and we’ll use the Description property to add members to the group. So, first create the group by using New-ADGroup.
New-ADGroup –Name 'Managers’ `
-Description 'Security Group for all Managers’ `
-DisplayName 'Managers’ `
-GroupCategory Security `
-GroupScope Universal `
-SAMAccountName 'Managers’ `
-PassThru
DistinguishedName : CN=Managers,CN=Users,DC=TreyResearch,DC=net GroupCategory : Security GroupScope : Universal Name : Managers ObjectClass : group ObjectGUID : 625b4911-301a-4249-8c39-40b88734a124 SamAccountName : Managers SID : S-1-5-21-910751839-3601328731-670513855-1138
Now we need to select just the users who are managers to add to the group. We can do that by using the Description property, because we populated that when we created the users, and we know it includes ”Manager“ in the description for those who are managers. This would be easy if we could just pass the results of Get-ADUser directly through the pipeline to Add-ADGroupMember, but we can’t. So, instead, we’ll create an array of SAM account names from the results of Get-ADUser.
$ManagerArray = (Get-ADUser -Filter {Description -like “*Manager*” } `
-Properties Description).SAMAccountName
Now we’ll use the $ManagerArray variable with Add-ADGroupMember.
Add-ADGroupMember -Identity “Managers” -Members $ManagerArray -PassThru
And finally, to confirm the identity of who we added, use this.
Get-ADGroupMember -Identity Managers | ft -auto SAMAccountName,Name
SAMAccountName Name -------------- ---- Trey Trey Barksdale Wally William Wallace Harold Harold Catz Dave David Guy
But there’s a problem with that—it really doesn’t confirm that the users we added were managers. We could try changing that Format-Table command to the following.
ft -auto SAMAccountName,Name,Description
Unfortunately, that just yields an empty column for the Description field. And we can understand why with this.
Get-ADGroupMember -Identity Managers | Get-Member
TypeName: Microsoft.ActiveDirectory.Management.ADPrincipal
Name MemberType Definition
---- ---------- ----------
Contains Method bool Contains(string propertyName)
Equals Method bool Equals(System.Object obj)
GetEnumerator Method System.Collections.IDictionaryEnumerator GetEnumerator()
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
Item ParameterizedProperty
Microsoft.ActiveDirectory.Management.ADPropertyValueCollection Item(string p...
distinguishedName Property System.String distinguishedName {get;set;}
name Property System.String name {get;}
objectClass Property System.String objectClass {get;set;}
objectGUID Property System.Nullable`1[[System.Guid, mscorlib,
Version=4.0.0.0, Culture=neutral, ...
SamAccountName Property System.String SamAccountName {get;set;}
SID Property System.Security.Principal.SecurityIdentifier
SID {get;set;}
We can’t add a -Properties Description to the Get-ADGroupMember, because it doesn’t support that parameter, so instead, we pass the results through Get-ADUser, which does support the Properties parameter, and now we get the following.
Get-ADGroupMember -Identity Managers `
| Get-ADUser -Properties Description `
| Format-Table -auto SAMAccountName,Name,Description
SAMAccountName Name Description
-------------- ---- -----------
Trey Trey Barksdale Sales Manager
Wally William Wallace Marketing Manager
Harold Harold Catz Engineering Manager
Dave David Guy Customer Appreciation Manager
That worked. Now we can clearly tell that each of the members of the Managers group is described as a manager in Active Directory.
How about adding a user to multiple groups at a time? We saw earlier in the “Create users” section that we could do that with a loop, but wouldn’t it be more efficient to just do it in a single command? Let’s give Alfie the power he’s always wanted and make him a superuser, just like Charlie. And, instead of looping, we’ll use the Add-ADPrincipalGroupMembership cmdlet.
$Groups = (Get-ADUser -Identity Charlie -Properties *).MemberOf Add-ADPrincipalGroupMembership -Identity Alfie -MemberOf $Groups (Get-ADUser -Identity Alfie -Properties MemberOf).MemberOf
CN=Group Policy Creator Owners,CN=Users,DC=TreyResearch,DC=net CN=Domain Admins,CN=Users,DC=TreyResearch,DC=net CN=Enterprise Admins,CN=Users,DC=TreyResearch,DC=net CN=Schema Admins,CN=Users,DC=TreyResearch,DC=net CN=Administrators,CN=Builtin,DC=TreyResearch,DC=net
Now Alfie has his wish; he’s a superuser. But really, that’s more than we think he should have, so instead, we’ll just give him basic Domain Admins membership by removing him from the groups he really shouldn’t be in.
Remove-ADPrincipalGroupMembership -Identity Alfie `
-MemberOf “Enterprise Admins”,`
“Schema Admins”,`
“Group Policy Creator Owners” `
-PassThru
And after we confirm that we really want to do it, Alfie has been reduced to a more reasonable level, as shown with the following.
(Get-ADUser -Identity Alfie -Properties MemberOf).MemberOf
CN=Domain Admins,CN=Users,DC=TreyResearch,DC=net CN=Administrators,CN=Builtin,DC=TreyResearch,DC=net