Using the ActiveDirectory PowerShell module, you can query AD groups with Get-AdGroup, add, update, and remove groups and group members. In this blog post, you’re going to learn a little about the Active Directory group PowerShell cmdlets with a ton of examples for reference.
Not a reader? Watch this related video tutorial!Active Directory Group Cmdlets
Once you install the ActiveDirectory PowerShell module, you’ll find a few cmdlets available to manage groups.
Cmdlet Name | Description |
Add-ADGroupMember | Used to add members to an AD group. |
Add-ADPrincipalGroupMembership | Used to add an AD principal to AD groups. |
Get-ADGroup | Used to return a group or groups from AD. |
Get-ADGroupMember | Used to return the members of an AD group. |
Get-ADPrincipalGroupMembership | Used to get the groups an AD principal is a member of. |
New-ADGroup | Used to create a new AD group. |
Remove-ADGroup | Used to delete an AD group. |
Remove-ADGroupMember | Used to remove members from an AD group. |
Remove-ADPrincipalGroupMembership | Used to remove an AD principal from AD groups. |
Set-ADGroup | Used to set the properties of an AD group. |
Using these cmdlets and a little PowerShell kung-fu, you can manage every aspect of the Active Directory group with PowerShell.
Find the members of a group with Get-ADGroupMember
The Get-AdGroupMember
cmdlet returns all members in a group.
PS51> Get-ADGroupMember -Identity <identity string or object>
Alternatively, you could reference the memberOf
property on a particular user using the Get-Aduser
cmdlet. For a refresher on how to build filters, check out Learning Active Directory Directory and LDAP Filters in PowerShell.
Two examples are below.
PS51> Get-ADUser -Filter 'memberOf -eq ""'
PS51> Get-ADUser -LDAPFilter '(memberOf=)'
This returns a collection of ADPrincipal objects.
Export the members of a group to a CSV file
This exports each users’ first name, surname and email address. Pipe the results fromGet-ADGroupMember
to Get-ADUser
because these are ADPrincipal objects that do not have all of the properties that ADUser objects have.
PS51> $GroupMembers = Get-ADGroupMember -Identity 'Professional Services Department'
PS51> $GroupMembers | Get-ADUser -Properties GivenName,Surname,Mail | Select-Object GivenName,Surname,Mail | Export-CSV -Path GroupMembers.CSV -NoTypeInformation
Notice the use of the
NoTypeInformation
parameter ofExport-CSV
to ensure that the CSV file is compatible with other applications.
Find groups with no members with Get-ADGroup
Use Get-AdGroup
to find groups using filters. Two examples below.
PS51> Get-ADGroup -Filter "Members -notlike '*'"
PS51> Get-ADGroup -LDAPFilter "(!(member=*))"
Create a new security group with New-ADGroup
You create a new security group using the New-AdGroup
command.
PS51> New-ADGroup -Name '<group name>' -GroupScope <scope of group> -Path '<path of the OU tht will host the new group>'
If no Path
parameter is supplied, the new group will be created in the Users container. The group scope must be either DomainLocal
, Global
or Universal
.
Create a new distribution group with New-ADGroup
Use New-AdGroup
again to create a distribution group. This time, choose a GroupCategory
of Distribution
.
PS51> New-ADGroup -Name '<group name>' -GroupScope <scope of group> -GroupCategory Distribution -Path '<path of the OU tht will host the new group>'
Add members to a group with Add-ADGroupMember
Adding users to an Active Directory group with PowerShell can be done using the Add-AdGroupMember
cmdlet or the Add-ADPrincipalGroupMembership
cmdlet.
This command specifies the group as the Identity.
PS51> Add-ADGroupMember -Identity <identity string or object> -Members <identity string(s) or ADPrincipal(s)>
This command specifies the AD principal as the Identity.
PS51> Add-ADPrincipalGroupMembership -Identity <identity string or object> -MemberOf <identity string(s) or ADGroup(s)>
Write to the Notes
property of a group with Set-AdGroup
The field labeled Notes in ADUC is represented by the Info
property returned from Get-AdGroup
.
First, find the group to change, set the Info
property and then use Set-AdGroup
to commit the change to AD.
PS51> $group = Get-ADGroup -Identity <identity string or object>
PS51> $group.Info = 'Important notes on this group'
PS51> Set-ADGroup $group
Remove group members with Remove-ADGroupMember
Like all PowerShell cmdlets, you can use the Confirm
parameter to be prompted before a change is made. This behavior applies to the Remove-AdGroupMember
and Remove-ADPrincipalGroupMembership
cmdlets too.
Below you can remove group members with no confirmation.
PS51> Remove-ADGroupMember -Identity <identity string or object> -Members <identity string(s) or ADPrincipal(s)>
PS51> Remove-ADPrincipalGroupMembership -Identity <identity string or object> -MemberOf <identity string(s) or ADGroup(s)>
Or you can choose to remove group members with confirmation using the Confirm
parameter.
PS51> Remove-ADGroupMember -Identity <identity string or object> -Members <identity string(s) or ADPrincipal(s)> -Confirm
PS51> Remove-ADPrincipalGroupMembership -Identity <identity string or object> -MemberOf <identity string(s) or ADGroup(s)> -Confirm
Delete a group with Remove-ADGroup
Delete a group with no confirmation and with confirmation.
PS51> Remove-ADGroup -Identity <identity string or object>
PS51> Remove-ADGroup -Identity <identity string or object> -Confirm
Rename a group with Rename-ADObject
You can rename a group via a one-liner using Rename-ADObject
.
PS51> Rename-ADObject -Identity <identity string or object> -NewName '<new name>'
Get the number of groups with Get-ADGroup
Do you need to find the total numbers of groups returned via Get-AdGroup
? Use the Count
property.
PS51> (Get-ADGroup -Filter '*').Count
Find groups with a manager with Get-ADGroup
Filter all groups that have a manager assigned to them with Get-AdGroup
and a well-crafted LDAP filter.
PS51> Get-ADGroup -LDAPFilter '(managedby=*)'
There is no equivalent PowerShell filter for this.
Find groups managed by a specific user with Get-ADGroup
Up your filter skills and find all groups managed by a specific user using either a PowerShell filter or LDAP filter.
PS51> Get-ADGroup -Filter 'managedby -eq "<distinguished name of user>"'
PS51> Get-ADGroup -LDAPFilter '(managedby=<distinguished name of user>)'
Set the group Manager with Set-ADGroup
The Managed By tab in ADUC for groups allows you to designate someone who is responsible for the membership of the group. This doesn’t automatically mean that the manager can alter the group membership of the group. For that to be possible, the security permissions need to be changed on the Member property for the group in question.
The act of ticking the Manager can update membership list box for a group in Active Directory Users and Computers (ADUC) changes the permissions to allow this.
Use Set-ADGroup
to set the ManagedBy attribute:
PS51> Set-ADGroup -ManagedBy '<distinguished name, GUID, SID or SAM Account name of manager>'
Updating the Access Control list takes a few more steps. The following code snippet grants the user Kristin Diaz the ability to manage the membership of the group. bf9679c0-0de6-11d0-a285-00aa003049e2 is the GUID for the Member
property of the group.
If Kristin is also set as the manager of the group then the tick box will be ticked. If not, Kristin will still be able to manage the membership of the group but will not be shown in ADUC as the manager.
Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.
$group = Get-ADGroup -Identity 'Professional Services Department'
$manager = Get-ADUser -Identity 'Kristin.Diaz'
$NTPrincipal = New-Object System.Security.Principal.NTAccount $manager.samAccountName
$objectGUID = New-Object GUID 'bf9679c0-0de6-11d0-a285-00aa003049e2'
$acl = Get-ACL "AD:$($group.distinguishedName)"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $NTPrincipal,'WriteProperty','Allow',$objectGUID
$acl.AddAccessRule($ace)
Set-ACL -AclObject $acl -Path "AD:$($group.distinguishedName)"
Find all security groups
List all security groups in Active Directory with PowerShell by limiting your search query to only security groups with these two examples. What’s that LDAP filter, you ask? Learn all about LDAP filters.
PS51> Get-ADGroup -Filter 'groupcategory -eq "Security"'
PS51> Get-ADGroup -LDAPFilter '(groupType:1.2.840.113556.1.4.803:=2147483648)'
Find Distribution groups
Use PowerShell to list Active Directory Groups (distribution) which excludes security groups using these two examples.
PS51> Get-ADGroup -Filter 'groupcategory -eq "Distribution"'
PS51> Get-ADGroup -LDAPFilter '(!(groupType:1.2.840.113556.1.4.803:=2147483648))'
Find group membership for a user with Get-ADPrincipalGroupMembership
PS51> Get-ADPrincipalGroupMembership -Identity <identity string or object>
Note that this command requires access to a global catalog.
Find groups in an OU, not including any sub-OUs
Get granular using the SearchBase
parameter to limit your search to a single OU using these two examples.
PS51> Get-ADGroup -Filter '*' -SearchBase '<distinguished name of OU>' -SearchScope OneLevel
PS51> Get-ADGroup -LDAPFilter '(CN=*)' -SearchBase '<distinguished name of OU>' -SearchScope OneLevel
Find groups in an OU, including any sub-OUs
Do you need to find all groups in child OUs? Use a SearchScope
of SubTree
.
PS51> Get-ADGroup -Filter '*' -SearchBase '<distinguished name of OU>' -SearchScope SubTree
PS51> Get-ADGroup -LDAPFilter '(CN=*)' -SearchBase '<distinguished name of OU>' -SearchScope SubTree
Summary
That concludes our example-driven demo of managing AD groups with PowerShell. Grab a few of these, try them out in your organization and start automating!