Use PowerShell to Create Local Groups
Doctor Scripto
Summary: Microsoft Scripting Guy, Ed Wilson, talks about creating local groups.Microsoft Scripting Guy, Ed Wilson, is here. Creating a local group works exactly the same way as creating a local user account (see Use PowerShell to Create Local User Accounts). The process involves the following steps:
- Create a connection to the local user account database by using the [ADSI] type accelerator and WinNT.
- Use the connection to call the Create method, and specify two values for the method call: Group in the first position and the name of the group in the second position.
- Call SetInfo to write the group back to the local account database.
- Specify a value for the description.
- Call Setinfo again to write the description to the group.
Notes
- When creating a local group, you must open the Windows PowerShell console or the Windows PowerShell ISE with Admin rights
- When using WinNT, it must be capitalized exactly like this: WinNT.
At this point, there are no Windows PowerShell cmdlets from Microsoft that make it easy to create a local user account or a local group. Although it is possible to use the Desired State Configuration (DSC ) provider and the local account provider, this requires Windows PowerShell 4.0. There are a couple of modules written, such as my Local Account Management module, which expose advanced functions to make this easier. Other than that, it is old-school ADSI to the rescue.
Create the connection to the local account database
The first thing I do is use the ADSI type accelerator and the WinNT provider to make a connection to the local account database on my computer. I store the returned object in a variable named $cn as shown here:
$cn = [ADSI]”WinNT://edlt”
Call the create method to create the group
When I have my connection to the local account database, I can call the Create method. This method does not show up via Tab expansion or Get-Member. But it is available, and it does work. When I call the Create method, I supply two values. The first is the keyword Group, and the second is the name of the group. In the following example, I call the group mygroup:
$group = $cn.Create(“Group”,”mygroup”)
Call SetInfo
Now I need to call the SetInfo method to write the object back to the local account database:
PS C:> $group.setinfo
OverloadDefinitions
——————- Once again, note that the SetInfo method does not appear via Tab expansion. When I call this method, I must include empty parenthesis ( () ) at the end of the method call, or else the syntax appears. Here is the command I use:
$group.setinfo()
Add a description
Now I want to add a description to the group. This is optional, but I consider it a best practice from when I used to be a network administrator. I would often find groups and service accounts that were created with no description and no information as to why they were there or what they were used for. By adding a description, the group becomes self-documenting. When I see a group with a description of “test group” I can be pretty safe in deleting it. Even better is the description “safe to delete.” Here is the command:
$group.description = “Test group”
$group.SetInfo()The complete script is shown here:
# CreateLocalGroup.ps1
$cn = [ADSI]”WinNT://edlt”
$group = $cn.Create(“Group”,”mygroup”)
$group.setinfo()
$group.description = “Test group”
$group.SetInfo()That is all there is using Windows PowerShell to creating a local group. Obviously, I need to add members to the group, and that is what I will discuss tomorrow. I can also use standard Windows PowerShell techniques to test for things like if the group exists or to create multiple groups.I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.Ed Wilson, Microsoft Scripting Guy
Light
Dark
0 comments