Building a Demo Active Directory: Part 3

Doctor Scripto

Dr Scripto

Summary: Create security groups in targeted organizational units in Active Directory. Hey, Scripting Guy! Question Hey, Scripting Guy! I was wondering if you could please show me how to use Windows PowerShell to create some security groups inside a set of organizational units in Active Directory. Is it difficult? —DS Hey, Scripting Guy! Answer Hello DS, Honorary Scripting Guy, Sean Kearney here, filling in for our good friend, Ed. To catch up on the first parts in this series, please read:

In Windows Server 2012 R2 or Windows Server 2008 R2, creating security groups got far easier with built-in cmdlets for Active Directory. In Part 2 of this series, I introduced you to the New-ADOrganizationalUnit cmdlet. Today we’re going to the see the New-ADGroup cmdlet in action! In our demo Active Directory, our next task is to create some security groups. We’re going to keep this simple and effective. We’re going to place a security group that is based on the division and location in the final branch of each structure. Let’s take a look at our variables for divisions and cities:

$CityOU=”Tokyo”,”Redmond”,”Ottawa”,”Madrid”,”New Orleans”,”Queensland”

$DivisionOU=”Sales”,”Marketing”,”HR”,”Finance” Now I’m going to have each group based on the CityOU name and the DivisionOU name. We’re going to concatenate each one, separated by a hyphen. We’ll use a simple loop that will accomplish the following:

  • Assign our current city to the variable $City
  • Assign our current division to the variable $Division
  • Build a group name by combining the city and division with no spaces and a hyphen separating them
  • Populate the description of the group with similar details

First we’ll build the group name and ensure that any blank spaces are removed:

$GroupName=$City.replace(” “,””)+”-“+$Division.replace(” “,””) Then we build the group’s description:

$GroupDescription=”$Division in $City Access Group” I plan on using this particular set of instructions later when I populate users based on city and division, so I’m going to make this into a simple function:

Function GET-GroupInfo()







$GroupName=$City.replace(” “,””)+”-“+$Division.replace(” “,””)

$GroupDescription=”$Division in $City Access Group”


# Return the Results (This is a feature new to version 3)



} Now we’ll take our original script to populate the organizational units and insert our new code to not only build a security group, but also populate it within targeted sections of our demo Active Directory environment:


$CityOU=”Tokyo”,”Redmond”,”Ottawa”,”Madrid”,”New Orleans”,”Queensland”






NEW-ADOrganizationalUnit -name $BaseOU -path $Domain


# Gather through list of Cities

Foreach ($City in $CityOU)


# Create OU for City

NEW-ADOrganizationalUnit -path $CompanyPath -name $City


# Gather through list of Divisions

Foreach($Division in $DivisionOU)



            # Create Division within City

            NEW-ADOrganizationalUnit -path “OU=$City,$CompanyPath” -name $Division


            # Create Group within Division and Description

            $GroupData=GET-GroupInfo -City $City -Division $Division





NEW-ADGroup -name $GroupName -GroupScope Global -Description `

$GroupDescription –Path “OU=$Division,OU=$City,$CompanyPath”



} Neat, eh? So with some basic variables, we now have a now simple Active Directory structure with built-in security groups! Next, I think we might need some users. For that, pop-in tomorrow when I will show you how with only 15 male and female names, I can build as large a demo environment as you could ever want in Active Directory! See you tomorrow! I invite you to follow the Scripting Guys on Twitter and Facebook. If you have any questions, send email to, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace. Sean Kearney, Honorary Scripting Guy andWindows PowerShell MVP


Comments are closed. Login to edit/delete your existing comments