In this post, I will talking about how to create Active Directory Groups with Powershell. If you have been following along with my previous posts, I have already written an article on how to install an Active Directory domain and how to add users using Powershell.
Before we jump into creating groups, let us first understand what are the different options that we have at our disposal when we think of groups in Active Directory.
Microsoft has basically divided groups into two categories. The two categories are Group Type and Group Scope.
Now let us first dig into Group Types. There are two group types when we talk about Groups in Active Directory which are Distribution groups and Security groups.
- Distribution groups are used primarily by email applications. These groups are not security enabled—they do not have SIDs—so they cannot be given permission to resources. Sending a message to a distribution group sends the message to all members of the group.
- Security groups are security principals with SIDs. These groups can therefore be used in permission entries in ACLs to control security for resource access. Security groups can also be used as distribution groups by email applications. If a group will be used to manage security, it must be a security group.
Based on the group scope, there are four different types. They are Local, Domain Local, Universal, and Global groups.
Local Groups: Local groups are truly local—defined on and available to a single computer. Local groups are created in the security accounts manager (SAM) database of a domain member computer — both workstations and servers have local groups.
Domain Local Groups: Domain local groups are used primarily to manage permissions to resources.
Global Groups: Global groups are used primarily to define collections of domain objects based on business roles.
Universal Groups: Universal Groups can have members from any domain in the forest.
I have this table which will summarize different types of groups and their use cases in a real environment.
Alright, now that we have the understanding of different group types and group scopes, lets continue with Powershell to start creating them.
$rootDN = (Get-ADDomain).DistinguishedName
In the above line, I am setting a variable called rootDN which will basically contain the name of my domain. We are doing this so that we do not have to keep typing the same thing over and over again.
So you must be wondering what will be the cmdlet that will help you create a New AD Group?
Well, it could not have not got simpler, it is New-ADGroup!!
So let us go ahead and create a distribution group called DL-HR, and it will be a domain local group within the HR OU of our root ddomain.
New-ADGroup -Path "OU=HR,$rootDN" -Name "DL-HR" -GroupScope DomainLocal -GroupCategory Distribution
As you can see above, the parameter GroupScope lets us define what will the scope of the group and the parameter GroupCategory will help us telling powershell whether is group is going to be security or distribution group.
Also note that, in the Path parameter I am using the variable rootDN that we had set earlier.
Let us see another example.
New-ADGroup -Path "OU=Engineering,$rootDN" -Name "DL-Engineering" -GroupScope Global -GroupCategory Security
OK! Now that we have groups created, let us go ahead and add some users to the group. The cmdlet that helps you add users is Add-ADGroupMember
New-ADGroup -SamAccountName 'G_Purchasing' -GroupScope Global -GroupCategory Security
Get-ADGroup G_Purchasing | Add-ADGroupMember Ronnie
In the above example, we created a new Global Security group and gave it a name G_Purchasing. Then, we queried the group using Get-ADGroup and a user called Ronnie to the group.
And I always say, please use the help system if you want to understand how the cmdlet work and also you can view the examples associated with the cmdlet.
If you would like to remove an user from the group, then you would use Remove-ADGroupMember.
Alright, so we introduced ourselves today with how to create different types of groups, why and when you would use a group and also how to add and remove the users from the group. All of this by using Powershell, which was literally very easy! If you have any doubts or questions, please put it down in the comments section and I will try to answer all of them.
I hope this was informative and thank you for reading!