Making the Perfect Group

This is part 2 of my series on adding users and groups to Active Directory (AD) with PowerShell. Part 1 Adding Users to AD Via PowerShell explains the steps to add users. Users are only half the battle. I find that users are best dealt with when grouped into the perfect grouping.

Step 0 – Import the Active Directory Modules:
Before we can even begin to try out commands we must make sure the Active Directory Modules have been imported. You can skip actually importing by running the predefined PowerShell prompt with Active Directory, which can be found amongst your Administrator Tools on the server. Or the old fashion way and enter the commands.
PS C:\> Import-Modules active*

Step 1 – Learn the Command:
The command that will be used for creating groups is New-ADGroup. (A very creative name they gave it. I am slowly realizing that any task you want to perform finding the command isn’t difficult in PowerShell it is determining the correct module that is hard.) The specifics of the command can be found on TechNet (, but I will provide a high level review of the parameters most important to my task.

  • Name
    • The name for the group. This sets the AD Name property.
    • This is a required value.
  • GroupScope
    • Defines the scope of the group.
    • This is a required value.
    • Possible values are: DomainLocal or 0, Global or 1, Universal or 2.
    • Example: -GroupScope 1 or -GroupScope Global will both set the group scope value to global
  • Description
    • Provides a description for the group.
  • DisplayName
    • The text to be displayed for the group.
  • PassThru
    • New-ADGroup by default returns no value, this parameter causes the cmdlet to return an object of the newly created group.
  • SamAccountName
    • Defines the Security Account Manager (SAM) for the group.
  • Path
    • Defines the Organizational Unit (OU) which the group should be created in.
    • This expects a string in proper X.500 form.
    • If no value is specified the cmdlet uses the following rules to determine the OU. First, if using the AD PowerShell provider drive, the current path of the provider drive is used. Second, if the cmdlet has a default path, this will be used. Finally, if neither of these cases are true, the Path will default to the partition or naming context of the target domain.
    • -Path "OU=Users,DC=thecodeattic,DC=com"

Step 2 – Let’s make a group:
PS C:\>$myGroup = New-ADGroup -Name "theCoolKids" -GroupScope DomainLocal -Description "This is the coolest gorup of users around." -DisplayName "the very Cool Kids" -SamAccountName "theCoolKids" -PassThru

If you receive no error messages, then there is only one thing left to do. Confirm that the group was generated. Either look in AD for the group or from PowerShell enter

PS C:\$myGroup

Your result should be something similar to the following:

DistinguishedName : CN=theCoolKids,CN=Users,DC=rainfly,DC=com
GroupCategory : Security
GroupScope : DomainLocal
Name : theCoolKids
ObjectClass : group
ObjectGUID : 5cd2fe70-dbe7-4ed3-b996-546d792efd2c
SamAccountName : theCoolKids
SID : S-1-5-21-1333310011-458043100-2074871380-1138

That was fun. Part 3 will be a look at adding those users to groups.


2 thoughts on “Making the Perfect Group

  1. Pingback: Time to Populate « The Code Attic

  2. Pingback: All Together Now « The Code Attic

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s