{"id":51473,"date":"2010-01-27T00:01:00","date_gmt":"2010-01-27T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/01\/27\/hey-scripting-guy-can-i-use-windows-powershell-to-manage-ad-ds-security-groups\/"},"modified":"2010-01-27T00:01:00","modified_gmt":"2010-01-27T00:01:00","slug":"hey-scripting-guy-can-i-use-windows-powershell-to-manage-ad-ds-security-groups","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-can-i-use-windows-powershell-to-manage-ad-ds-security-groups\/","title":{"rendered":"Hey, Scripting Guy! Can I Use Windows PowerShell to Manage AD DS Security Groups?"},"content":{"rendered":"

\"Bookmark<\/a><\/p>\n

 \n\"Hey,<\/p>\n

Hey, Scripting Guy! I am a MCSE and I still remember my instructor at the training center running around the room shouting, “Users go into groups, and groups get assigned rights and permissions.” Over and over again in different manners and in different language, but always with the same intent, he kept repeating the same mantra. I could not get that phrase out of my head, which was a good thing when it came time to take the exam. My network is therefore organized in such a way that I make extensive use of security groups. My question is this: Is there a way I can use Windows PowerShell to create and manage security groups in Active Directory Domain Services (AD DS)?<\/p>\n

— DM<\/p>\n

\n

 <\/p>\n<\/p>\n

\"Hey,Hello DM, <\/p>\n

Microsoft Scripting Guy Ed Wilson here. I was up late last night reading Homer’s Odyssey<\/font><\/a>, and therefore I did not spring from my slumber with my normal Scripting Guy exuberance. I therefore added an extra scoop of English Breakfast tea leaves to my pot before heading up to the Scripting Guy command center. There were several cool tweets on Twitter that needed responses, and with Deep Purple cranked up so loud on my Zune HD that the Venetian blinds<\/font><\/a> were actually rattling, I dove into the scripter@microsoft.com<\/a> inbox. <\/p>\n

Your mail brought back fond memories of Cincinnati where I used to teach the class for the Microsoft NT 4.0 Server in the Enterprise Exam 70-068. (I contributed to a study guide for that exam—one of my first projects as a writer.) Speaking of Cincinnati, I found the following picture of the Cincinnati Tyler Davidson Fountain<\/font><\/a> that I took a few years ago when I was teaching a VBScript class at the Microsoft Office there.<\/p>\n

\"Image<\/p>\n

\n

 <\/p>\n<\/p>\n

DM, let us now get started. To create a new global security group, use the New-ADGroup<\/b> Windows PowerShell AD DS cmdlet. The New-ADGroup<\/b> Windows PowerShell cmdlet requires three parameters: the name of the group, a path to the location where the group will be stored, and the groupscope<\/b> (global<\/b>, universal<\/b>, or domainlocal<\/b>). Before running the command seen here, remember you must import the ActiveDirectory<\/b> module into your current Windows PowerShell session. For more information about working with the ActiveDirectory<\/b> module, see Monday’s Hey, Scripting Guy! Blog post<\/font><\/a>.<\/p>\n

New-ADGroup -Name hsgTestGroup -Path “ou=HSG_TestOU,dc=nwtraders,dc=com” -groupScope global<\/p>\n

<\/font><\/span><\/p>\n

The newly created group is seen in the following image.<\/p>\n

\"Image<\/p>\n

\n

 <\/p>\n<\/p>\n

To create a new universal group, you only need to change the groupscope<\/b> parameter value, as seen here. <\/p>\n

New-ADGroup -Name hsgTestGroup1 -Path “ou=HSG_TestOU,dc=nwtraders,dc=com” -groupScope universal<\/p>\n

<\/font><\/span><\/p>\n

The newly created universal group is seen in Active Directory Users and Computers, as shown in the following image.<\/p>\n

\"Image<\/p>\n

\n

 <\/p>\n<\/p>\n

To add a user to a group, you must supply values for the identity<\/b> parameter and the members<\/b> parameter. The value you use for the identity<\/b> parameter is the name of the group. You do not need to use the LDAP syntax of cn=groupname<\/b>.<\/i> You need only to supply the name. In examining the LDAP attributes for a group in ADSI Edit, as seen in the following image, you can obtain the needed value from several fields. <\/p>\n

\"Image<\/p>\n

\n

 <\/p>\n<\/p>\n

It is a bit unusual that the -members<\/b> parameter is\nnamed members<\/b> and not member<\/b> because most Windows PowerShell cmdlet parameter names are singular and not plural. The parameters are singular even when they accept an array of values (such as the computername<\/b> parameter). The command to add a new group named hsgTestGroup1<\/b> to the hsgUserGroupTest<\/b> group is seen here:<\/p>\n

Add-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest<\/p>\n

<\/font><\/span><\/p>\n

To remove a user from a group, use the Remove-ADGroupMember<\/b> cmdlet with the name of the user and group. The identity<\/b> and members<\/b> parameters are required, but the command will not execute without confirmation, as seen here:<\/p>\n

PS C:> Remove-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest<\/p>\n

Confirm
Are you sure you want to perform this action?
Performing operation “Set” on Target “CN=hsgTestGroup1,OU=HSG_TestOU,DC=NWTraders,DC=Com”.
[Y] Yes  <\/span>[A] Yes to All  <\/span>[N] No  <\/span>[L] No to All  <\/span>[S] Suspend  <\/span>[?] Help (default is “Y”): y
PS C:><\/p>\n

<\/font><\/span><\/p>\n

If you are sure that you wish to remove the user from the group and you wish to suppress the query, use the –confirm<\/b> parameter and assign the value $false<\/b> to it. The problem is you will need to supply a colon between the parameter and $false<\/b> value. <\/p>\n

The use of the colon before the –confirm<\/b> parameter is not documented, and took me more than two hours of experimentation to figure out. I also did extensive searches on Bing<\/font><\/a> and was unable to find anything. <\/p>\n

The command is seen here: <\/p>\n

Remove-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest -Confirm:$false<\/p>\n

<\/font><\/span><\/p>\n

You need the ability to suppress the confirmation prompt to be able to use the Remove-ADGroupMember<\/b> cmdlet in a script. The first thing the RemoveUserFromGroup.ps1 script does is load the activedirectory<\/b> module. After the module is loaded, the Remove-ADGroupMember<\/b> cmdlet is used to remove the user from the group. To suppress the confirmation prompt, the –confirm:$false<\/b> command is used. The RemoveUserFromGroup.ps1 script is seen here. <\/p>\n

RemoveUserFromGroup.ps1<\/p>\n

<\/strong><\/p>\n

import-module activedirectory<\/p>\n

<\/font><\/span><\/p>\n

Remove-ADGroupMember -Identity hsgTestGroup1 -Members hsgUserGroupTest -Confirm:$false<\/p>\n

<\/font><\/span><\/p>\n

DM, that is all there is to working with Groups in Active Directory. Active Directory Week will continue tomorrow. <\/p>\n

If you want to know exactly what we will be looking at tomorrow, follow us on Twitter<\/a> or FaceBook<\/a>. If you have any questions, send e-mail to us at scripter@microsoft.com<\/a> or post them on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

\n

 <\/p>\n<\/p>\n

Ed Wilson and Craig Liebendorfer, Scripting Guys<\/span><\/b><\/p>\n

 <\/p>\n<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

  Hey, Scripting Guy! I am a MCSE and I still remember my instructor at the training center running around the room shouting, “Users go into groups, and groups get assigned rights and permissions.” Over and over again in different manners and in different language, but always with the same intent, he kept repeating the […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,44,3,45],"class_list":["post-51473","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-groups","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"

  Hey, Scripting Guy! I am a MCSE and I still remember my instructor at the training center running around the room shouting, “Users go into groups, and groups get assigned rights and permissions.” Over and over again in different manners and in different language, but always with the same intent, he kept repeating the […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/51473","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=51473"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/51473\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=51473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=51473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=51473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}