Home > Sample chapters

Create and Manage Users and Groups in Active Directory

Create and manage groups

Use the ADGroup set of cmdlets to create, delete, modify, or list Active Directory groups, and either the ADGroupMember set of cmdlets or the ADPrincipalGroupMembership set of cmdlets to add, remove, and list the members of an Active Directory group. By using the ADGroupMember cmdlets, you add or remove one or more users, groups, service accounts, or computers to or from a group, whereas with the ADPrincipalGroupMembership cmdlets you add or remove a user, group, service account, or computer to or from one or more groups. Or, to try to make that a little clearer—if you want to add many objects into one group, use Add-ADGroupMember, but if you want to add one object into many groups, use Add-ADPrincipalGroupMembership. Or you can ignore one or the other set of cmdlets and use looping to accomplish the same thing, as I did earlier when I added the user Charlie into multiple groups by using the Add-ADGroupMember cmdlet and a ForEach loop.

In AD DS, two types of groups are supported: security groups and distribution groups. And there are three scope levels for each: Domain Local, Global, and Universal. To demonstrate how these cmdlets work, let’s create a new group, Accounting Users, as a security group with Universal scope, and add a couple of users to the group. Then we’ll search to get a list of users in the group, by using both standard Windows PowerShell filtering and LDAP filtering.

Create a new group

Creating a new group is easy and uses the same basic techniques as creating a new user. The difference is that there are far fewer properties and parameters to creating a new group. For example, use the following command to create a new security group called Accounting Users and give that group Universal scope.

New-ADGroup -Name 'Accounting Users’ `
            -Description 'Security Group for all accounting users’ `
            -DisplayName 'Accounting Users’ `
            -GroupCategory Security `
            -GroupScope Universal `
            -SAMAccountName 'AccountingUsers’ `
            -PassThru

The results of this command are shown in Figure 3-3. Notice that even though we didn’t specify the full path where we wanted to create the Accounting Users group, Windows PowerShell defaulted to putting the group in the Users container. To override that default, specify the Path parameter. Windows PowerShell will use the default container for your domain if you don’t specify a path.

Figure 3-3

Figure 3-3 Adding a new AD DS security group

Add users to a group

Let’s start by adding a couple of members to the Accounting Users group we just created. For this, because we’re adding multiple users to a single group, we’ll use the Add-ADGroupMember cmdlet.

Add-ADGroupMember has the following syntax.

Add-ADGroupMember [-Identity] <ADGroup> [-Members] <ADPrincipal[]> 
[-AuthType {Negotiate | Basic}] [-Credential PSCredential>] 
[-Partition <String>] [-PassThru] [-Server <String>] 
[-Confirm] [-WhatIf] [<CommonParameters>]

The Identity parameter accepts a Distinguished Name (DN), GUID, security identifier (SID) or SAM account name to identify which group you want to add members to. The Members parameter accepts an array of new members that you want to add to the group. The new members can be identified by the same methods as the group identifier, but the parameter also accepts user, computer, and group object variables that identify the members to be added. You cannot, however, pass objects to Add-ADGroupMember through the pipeline.

To add Dave R. Guy and Stanley T. Behr to the Accounting Users group, use the following command.

Add-ADGroupMember -Identity AccountingUsers -Members Dave,Stanley -PassThru
DistinguishedName : CN=Accounting Users,CN=Users,DC=TreyResearch,DC=net
GroupCategory     : Security
GroupScope        : Universal
Name              : Accounting Users
ObjectClass       : group
ObjectGUID        : d4629307-b10f-4342-80a5-e192d430bf8c
SamAccountName    : AccountingUsers
SID               : S-1-5-21-910751839-3601328731-670513855-1137

To verify that the members were added, because the PassThru parameter doesn’t really help with that, use the Get-ADGroupMember cmdlet.

Get-ADGroupMember -Identity AccountingUsers
distinguishedName : CN=Stanley Behr,CN=Users,DC=TreyResearch,DC=net
name              : Stanley Behr
objectClass       : user
objectGUID        : 17527a2f-2710-49d7-ad6d-ce6342bb8c63
SamAccountName    : Stanley
SID               : S-1-5-21-910751839-3601328731-670513855-1131

distinguishedName : CN=David Guy,CN=Users,DC=TreyResearch,DC=net
name              : David Guy
objectClass       : user
objectGUID        : 93534ac0-bbd4-4a29-aae0-470b8e604b18
SamAccountName    : Dave
SID               : S-1-5-21-910751839-3601328731-670513855-1129

Manage groups

Now, let’s take this a bit further. Let’s create another new security group for management. We’ll call the group Managers, and we’ll use the Description property to add members to the group. So, first create the group by using New-ADGroup.

New-ADGroup –Name 'Managers’ `
            -Description 'Security Group for all Managers’ `
            -DisplayName 'Managers’ `
            -GroupCategory Security `
            -GroupScope Universal `
            -SAMAccountName 'Managers’ `
            -PassThru
DistinguishedName : CN=Managers,CN=Users,DC=TreyResearch,DC=net
GroupCategory     : Security
GroupScope        : Universal
Name              : Managers
ObjectClass       : group
ObjectGUID        : 625b4911-301a-4249-8c39-40b88734a124
SamAccountName    : Managers
SID               : S-1-5-21-910751839-3601328731-670513855-1138

Now we need to select just the users who are managers to add to the group. We can do that by using the Description property, because we populated that when we created the users, and we know it includes ”Manager“ in the description for those who are managers. This would be easy if we could just pass the results of Get-ADUser directly through the pipeline to Add-ADGroupMember, but we can’t. So, instead, we’ll create an array of SAM account names from the results of Get-ADUser.

$ManagerArray = (Get-ADUser -Filter {Description -like “*Manager*” } `
                            -Properties Description).SAMAccountName

Now we’ll use the $ManagerArray variable with Add-ADGroupMember.

Add-ADGroupMember -Identity “Managers” -Members $ManagerArray -PassThru

And finally, to confirm the identity of who we added, use this.

Get-ADGroupMember -Identity Managers | ft -auto SAMAccountName,Name
SAMAccountName Name
-------------- ----
Trey           Trey Barksdale
Wally          William Wallace
Harold         Harold Catz
Dave           David Guy

But there’s a problem with that—it really doesn’t confirm that the users we added were managers. We could try changing that Format-Table command to the following.

ft -auto SAMAccountName,Name,Description

Unfortunately, that just yields an empty column for the Description field. And we can understand why with this.

Get-ADGroupMember -Identity Managers | Get-Member
TypeName: Microsoft.ActiveDirectory.Management.ADPrincipal

Name              MemberType            Definition
----              ----------            ----------
Contains          Method                bool Contains(string propertyName)
Equals            Method                bool Equals(System.Object obj)
GetEnumerator     Method                System.Collections.IDictionaryEnumerator GetEnumerator()
GetHashCode       Method                int GetHashCode()
GetType           Method                type GetType()
ToString          Method                string ToString()
Item              ParameterizedProperty 
Microsoft.ActiveDirectory.Management.ADPropertyValueCollection Item(string p...
distinguishedName Property              System.String distinguishedName {get;set;}
name              Property              System.String name {get;}
objectClass       Property              System.String objectClass {get;set;}
objectGUID        Property              System.Nullable`1[[System.Guid, mscorlib,
Version=4.0.0.0, Culture=neutral, ...
SamAccountName    Property              System.String SamAccountName {get;set;}
SID               Property              System.Security.Principal.SecurityIdentifier
SID {get;set;}

We can’t add a -Properties Description to the Get-ADGroupMember, because it doesn’t support that parameter, so instead, we pass the results through Get-ADUser, which does support the Properties parameter, and now we get the following.

Get-ADGroupMember -Identity Managers `
                   | Get-ADUser -Properties Description `
                   | Format-Table -auto SAMAccountName,Name,Description

SAMAccountName Name            Description
-------------- ----            -----------
Trey           Trey Barksdale  Sales Manager
Wally          William Wallace Marketing Manager
Harold         Harold Catz     Engineering Manager
Dave           David Guy       Customer Appreciation Manager

That worked. Now we can clearly tell that each of the members of the Managers group is described as a manager in Active Directory.

How about adding a user to multiple groups at a time? We saw earlier in the “Create users” section that we could do that with a loop, but wouldn’t it be more efficient to just do it in a single command? Let’s give Alfie the power he’s always wanted and make him a superuser, just like Charlie. And, instead of looping, we’ll use the Add-ADPrincipalGroupMembership cmdlet.

$Groups = (Get-ADUser -Identity Charlie -Properties *).MemberOf
Add-ADPrincipalGroupMembership -Identity Alfie -MemberOf $Groups

(Get-ADUser -Identity Alfie -Properties MemberOf).MemberOf
CN=Group Policy Creator Owners,CN=Users,DC=TreyResearch,DC=net
CN=Domain Admins,CN=Users,DC=TreyResearch,DC=net
CN=Enterprise Admins,CN=Users,DC=TreyResearch,DC=net
CN=Schema Admins,CN=Users,DC=TreyResearch,DC=net
CN=Administrators,CN=Builtin,DC=TreyResearch,DC=net

Now Alfie has his wish; he’s a superuser. But really, that’s more than we think he should have, so instead, we’ll just give him basic Domain Admins membership by removing him from the groups he really shouldn’t be in.

Remove-ADPrincipalGroupMembership -Identity Alfie `
                                  -MemberOf “Enterprise Admins”,`
                                            “Schema Admins”,`
                                            “Group Policy Creator Owners” `
                                  -PassThru

And after we confirm that we really want to do it, Alfie has been reduced to a more reasonable level, as shown with the following.

(Get-ADUser -Identity Alfie -Properties MemberOf).MemberOf
CN=Domain Admins,CN=Users,DC=TreyResearch,DC=net
CN=Administrators,CN=Builtin,DC=TreyResearch,DC=net