Hey, Scripting Guy! Can I Use Windows PowerShell to Manage AD DS Security Groups?


Bookmark and Share

  Hey, Scripting Guy! Question

Hey, Scripting Guy! I am a MCSE and I still remember my instructor at the training center running around the room shouting, “Users go into groups, and groups get assigned rights and permissions.” Over and over again in different manners and in different language, but always with the same intent, he kept repeating the same mantra. I could not get that phrase out of my head, which was a good thing when it came time to take the exam. My network is therefore organized in such a way that I make extensive use of security groups. My question is this: Is there a way I can use Windows PowerShell to create and manage security groups in Active Directory Domain Services (AD DS)?

— DM


Hey, Scripting Guy! AnswerHello DM,

Microsoft Scripting Guy Ed Wilson here. I was up late last night reading Homer’s Odyssey, and therefore I did not spring from my slumber with my normal Scripting Guy exuberance. I therefore added an extra scoop of English Breakfast tea leaves to my pot before heading up to the Scripting Guy command center. There were several cool tweets on Twitter that needed responses, and with Deep Purple cranked up so loud on my Zune HD that the Venetian blinds were actually rattling, I dove into the scripter@microsoft.com inbox.

Your mail brought back fond memories of Cincinnati where I used to teach the class for the Microsoft NT 4.0 Server in the Enterprise Exam 70-068. (I contributed to a study guide for that exam—one of my first projects as a writer.) Speaking of Cincinnati, I found the following picture of the Cincinnati Tyler Davidson Fountain that I took a few years ago when I was teaching a VBScript class at the Microsoft Office there.

Image of Tyler Davidson Fountain


DM, let us now get started. To create a new global security group, use the New-ADGroup Windows PowerShell AD DS cmdlet. The New-ADGroup Windows PowerShell cmdlet requires three parameters: the name of the group, a path to the location where the group will be stored, and the groupscope (global, universal, or domainlocal). Before running the command seen here, remember you must import the ActiveDirectory module into your current Windows PowerShell session. For more information about working with the ActiveDirectory module, see Monday’s Hey, Scripting Guy! Blog post.

New-ADGroup -Name hsgTestGroup -Path “ou=HSG_TestOU,dc=nwtraders,dc=com” -groupScope global

The newly created group is seen in the following image.

Image of newly created group


To create a new universal group, you only need to change the groupscope parameter value, as seen here.

New-ADGroup -Name hsgTestGroup1 -Path “ou=HSG_TestOU,dc=nwtraders,dc=com” -groupScope universal

The newly created universal group is seen in Active Directory Users and Computers, as shown in the following image.

Image of newly create universal group


To add a user to a group, you must supply values for the identity parameter and the members parameter. The value you use for the identity parameter is the name of the group. You do not need to use the LDAP syntax of cn=groupname. You need only to supply the name. In examining the LDAP attributes for a group in ADSI Edit, as seen in the following image, you can obtain the needed value from several fields.

Image of LDAP attributes for a group in ADSI Edit


It is a bit unusual that the -members parameter is named members and not member because most Windows PowerShell cmdlet parameter names are singular and not plural. The parameters are singular even when they accept an array of values (such as the computername parameter). The command to add a new group named hsgTestGroup1 to the hsgUserGroupTest group is seen here:

Add-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest

To remove a user from a group, use the Remove-ADGroupMember cmdlet with the name of the user and group. The identity and members parameters are required, but the command will not execute without confirmation, as seen here:

PS C:> Remove-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest

Are you sure you want to perform this action?
Performing operation “Set” on Target “CN=hsgTestGroup1,OU=HSG_TestOU,DC=NWTraders,DC=Com”.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is “Y”): y
PS C:>

If you are sure that you wish to remove the user from the group and you wish to suppress the query, use the –confirm parameter and assign the value $false to it. The problem is you will need to supply a colon between the parameter and $false value.

The use of the colon before the –confirm parameter is not documented, and took me more than two hours of experimentation to figure out. I also did extensive searches on Bing and was unable to find anything.

The command is seen here:

Remove-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest -Confirm:$false

You need the ability to suppress the confirmation prompt to be able to use the Remove-ADGroupMember cmdlet in a script. The first thing the RemoveUserFromGroup.ps1 script does is load the activedirectory module. After the module is loaded, the Remove-ADGroupMember cmdlet is used to remove the user from the group. To suppress the confirmation prompt, the –confirm:$false command is used. The RemoveUserFromGroup.ps1 script is seen here.


import-module activedirectory

Remove-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest -Confirm:$false

DM, that is all there is to working with Groups in Active Directory. Active Directory Week will continue tomorrow.

If you want to know exactly what we will be looking at tomorrow, follow us on Twitter or FaceBook. If you have any questions, send e-mail to us at scripter@microsoft.com or post them on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.


Ed Wilson and Craig Liebendorfer, Scripting Guys