October 2nd, 2014

Use PowerShell to Create Local Groups

Doctor Scripto
Scripter

Summary: Microsoft Scripting Guy, Ed Wilson, talks about creating local groups. Microsoft Scripting Guy, Ed Wilson, is here. Creating a local group works exactly the same way as creating a local user account (see Use PowerShell to Create Local User Accounts). The process involves the following steps:

  1. Create a connection to the local user account database by using the [ADSI] type accelerator and WinNT.
  2. Use the connection to call the Create method, and specify two values for the method call: Group in the first position and the name of the group in the second position.
  3. Call SetInfo to write the group back to the local account database.
  4. Specify a value for the description.
  5. Call Setinfo again to write the description to the group.

  Notes 

  • When creating a local group, you must open the Windows PowerShell console or the Windows PowerShell ISE with Admin rights
  • When using WinNT, it must be capitalized exactly like this: WinNT.

At this point, there are no Windows PowerShell cmdlets from Microsoft that make it easy to create a local user account or a local group. Although it is possible to use the Desired State Configuration (DSC ) provider and the local account provider, this requires Windows PowerShell 4.0. There are a couple of modules written, such as my Local Account Management module, which expose advanced functions to make this easier. Other than that, it is old-school ADSI to the rescue.

Create the connection to the local account database

The first thing I do is use the ADSI type accelerator and the WinNT provider to make a connection to the local account database on my computer. I store the returned object in a variable named $cn as shown here:

$cn = [ADSI]”WinNT://edlt”

Call the create method to create the group

When I have my connection to the local account database, I can call the Create method. This method does not show up via Tab expansion or Get-Member. But it is available, and it does work. When I call the Create method, I supply two values. The first is the keyword Group, and the second is the name of the group. In the following example, I call the group mygroup:

$group = $cn.Create(“Group”,”mygroup”)

Call SetInfo

Now I need to call the SetInfo method to write the object back to the local account database:

PS C:> $group.setinfo  

OverloadDefinitions                                                           

——————-                      Once again, note that the SetInfo method does not appear via Tab expansion. When I call this method, I must include empty parenthesis ( () ) at the end of the method call, or else the syntax appears. Here is the command I use:

$group.setinfo()

Add a description

Now I want to add a description to the group. This is optional, but I consider it a best practice from when I used to be a network administrator. I would often find groups and service accounts that were created with no description and no information as to why they were there or what they were used for. By adding a description, the group becomes self-documenting. When I see a group with a description of “test group” I can be pretty safe in deleting it. Even better is the description “safe to delete.” Here is the command:

$group.description = “Test group”

$group.SetInfo() The complete script is shown here:

# CreateLocalGroup.ps1  

$cn = [ADSI]”WinNT://edlt”

$group = $cn.Create(“Group”,”mygroup”)

$group.setinfo()

$group.description = “Test group”

$group.SetInfo() That is all there is using Windows PowerShell to creating a local group. Obviously, I need to add members to the group, and that is what I will discuss tomorrow. I can also use standard Windows PowerShell techniques to test for things like if the group exists or to create multiple groups. I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace. Ed Wilson, Microsoft Scripting Guy 

Author

The "Scripting Guys" is a historical title passed from scripter to scripter. The current revision has morphed into our good friend Doctor Scripto who has been with us since the very beginning.

0 comments

Discussion are closed.