Using the ActiveDirectory PowerShell module, you can query AD groups with Get-AdGroup, add, update, and remove groups and group members. In this blog post, you’re going to learn a little about the Active Directory group PowerShell cmdlets with a ton of examples for reference.
Discover, report and prevent insecure Active Directory account passwords in your environment with Specops’ completely free Password Auditor Pro. Download it today!
Table of Contents
Active Directory Group Cmdlets
Once you install the ActiveDirectory PowerShell module, you’ll find a few cmdlets available to manage groups.
|Add-ADGroupMember||Used to add members to an AD group.|
|Add-ADPrincipalGroupMembership||Used to add an AD principal to AD groups.|
|Get-ADGroup||Used to return a group or groups from AD.|
|Get-ADGroupMember||Used to return the members of an AD group.|
|Get-ADPrincipalGroupMembership||Used to get the groups an AD principal is a member of.|
|New-ADGroup||Used to create a new AD group.|
|Remove-ADGroup||Used to delete an AD group.|
|Remove-ADGroupMember||Used to remove members from an AD group.|
|Remove-ADPrincipalGroupMembership||Used to remove an AD principal from AD groups.|
|Set-ADGroup||Used to set the properties of an AD group.|
Using these cmdlets and a little PowerShell kung-fu, you can manage every aspect of the Active Directory group with PowerShell.
Find the members of a group with Get-ADGroupMember
Get-AdGroupMember cmdlet returns all members in a group.
PS51> Get-ADGroupMember -Identity <identity string or object>
Alternatively, you could reference the
memberOf property on a particular user using the
Get-Aduser cmdlet. For a refresher on how to build filters, check out Learning Active Directory Directory and LDAP Filters in PowerShell.
Two examples are below.
PS51> Get-ADUser -Filter 'memberOf -eq ""' PS51> Get-ADUser -LDAPFilter '(memberOf=)'
This returns a collection of ADPrincipal objects.
Export the members of a group to a CSV file
This exports each users’ first name, surname and email address. Pipe the results from
Get-ADUser because these are ADPrincipal objects that do not have all of the properties that ADUser objects have.
PS51> $GroupMembers = Get-ADGroupMember -Identity 'Professional Services Department' PS51> $GroupMembers | Get-ADUser -Properties GivenName,Surname,Mail | Select-Object GivenName,Surname,Mail | Export-CSV -Path GroupMembers.CSV -NoTypeInformation
Notice the use of the
Export-CSVto ensure that the CSV file is compatible with other applications.
Find groups with no members with Get-ADGroup
Get-AdGroup to find groups using filters. Two examples below.
PS51> Get-ADGroup -Filter "Members -notlike '*'" PS51> Get-ADGroup -LDAPFilter "(!(member=*))"
Create a new security group with New-ADGroup
You create a new security group using the
PS51> New-ADGroup -Name '<group name>' -GroupScope <scope of group> -Path '<path of the OU tht will host the new group>'
Path parameter is supplied, the new group will be created in the Users container. The group scope must be either
Create a new distribution group with New-ADGroup
New-AdGroup again to create a distribution group. This time, choose a
PS51> New-ADGroup -Name '<group name>' -GroupScope <scope of group> -GroupCategory Distribution -Path '<path of the OU tht will host the new group>'
Add members to a group with Add-ADGroupMember
Adding users to an Active Directory group with PowerShell can be done using the
Add-AdGroupMember cmdlet or the
This command specifies the group as the Identity.
PS51> Add-ADGroupMember -Identity <identity string or object> -Members <identity string(s) or ADPrincipal(s)>
This command specifies the AD principal as the Identity.
PS51> Add-ADPrincipalGroupMembership -Identity <identity string or object> -MemberOf <identity string(s) or ADGroup(s)>
Write to the
Notes property of a group with Set-AdGroup
The field labeled Notes in ADUC is represented by the
Info property returned from
First, find the group to change, set the
Info property and then use
Set-AdGroup to commit the change to AD.
PS51> $group = Get-ADGroup -Identity <identity string or object> PS51> $group.Info = 'Important notes on this group' PS51> Set-ADGroup $group
Remove group members with Remove-ADGroupMember
Like all PowerShell cmdlets, you can use the
Confirm parameter to be prompted before a change is made. This behavior applies to the
Remove-ADPrincipalGroupMembership cmdlets too.
Below you can remove group members with no confirmation.
PS51> Remove-ADGroupMember -Identity <identity string or object> -Members <identity string(s) or ADPrincipal(s)> PS51> Remove-ADPrincipalGroupMembership -Identity <identity string or object> -MemberOf <identity string(s) or ADGroup(s)>
Or you can choose to remove group members with confirmation using the
PS51> Remove-ADGroupMember -Identity <identity string or object> -Members <identity string(s) or ADPrincipal(s)> -Confirm PS51> Remove-ADPrincipalGroupMembership -Identity <identity string or object> -MemberOf <identity string(s) or ADGroup(s)> -Confirm
Delete a group with Remove-ADGroup
Delete a group with no confirmation and with confirmation.
PS51> Remove-ADGroup -Identity <identity string or object> PS51> Remove-ADGroup -Identity <identity string or object> -Confirm
Rename a group with Rename-ADObject
You can rename a group via a one-liner using
PS51> Rename-ADObject -Identity <identity string or object> -NewName '<new name>'
Get the number of groups with Get-ADGroup
Do you need to find the total numbers of groups returned via
Get-AdGroup? Use the
PS51> (Get-ADGroup -Filter '*').Count
Find groups with a manager with Get-ADGroup
Filter all groups that have a manager assigned to them with
Get-AdGroup and a well-crafted LDAP filter.
PS51> Get-ADGroup -LDAPFilter '(managedby=*)'
There is no equivalent PowerShell filter for this.
Find groups managed by a specific user with Get-ADGroup
Up your filter skills and find all groups managed by a specific user using either a PowerShell filter or LDAP filter.
PS51> Get-ADGroup -Filter 'managedby -eq "<distinguished name of user>"' PS51> Get-ADGroup -LDAPFilter '(managedby=<distinguished name of user>)'
Set the group Manager with Set-ADGroup
The Managed By tab in ADUC for groups allows you to designate someone who is responsible for the membership of the group. This doesn’t automatically mean that the manager can alter the group membership of the group. For that to be possible, the security permissions need to be changed on the Member property for the group in question.
The act of ticking the Manager can update membership list box for a group in Active Directory Users and Computers (ADUC) changes the permissions to allow this.
Set-ADGroup to set the ManagedBy attribute:
PS51> Set-ADGroup -ManagedBy '<distinguished name, GUID, SID or SAM Account name of manager>'
Updating the Access Control list takes a few more steps. The following code snippet grants the user Kristin Diaz the ability to manage the membership of the group. bf9679c0-0de6-11d0-a285-00aa003049e2 is the GUID for the
Member property of the group.
If Kristin is also set as the manager of the group then the tick box will be ticked. If not, Kristin will still be able to manage the membership of the group but will not be shown in ADUC as the manager.
$group = Get-ADGroup -Identity 'Professional Services Department' $manager = Get-ADUser -Identity 'Kristin.Diaz' $NTPrincipal = New-Object System.Security.Principal.NTAccount $manager.samAccountName $objectGUID = New-Object GUID 'bf9679c0-0de6-11d0-a285-00aa003049e2' $acl = Get-ACL "AD:$($group.distinguishedName)" $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $NTPrincipal,'WriteProperty','Allow',$objectGUID $acl.AddAccessRule($ace) Set-ACL -AclObject $acl -Path "AD:$($group.distinguishedName)"
Find all security groups
List all security groups in Active Directory with PowerShell by limiting your search query to only security groups with these two examples. What’s that LDAP filter, you ask? Learn all about LDAP filters.
PS51> Get-ADGroup -Filter 'groupcategory -eq "Security"' PS51> Get-ADGroup -LDAPFilter '(groupType:1.2.840.1135220.127.116.113:=2147483648)'
Find Distribution groups
Use PowerShell to list Active Directory Groups (distribution) which excludes security groups using these two examples.
PS51> Get-ADGroup -Filter 'groupcategory -eq "Distribution"' PS51> Get-ADGroup -LDAPFilter '(!(groupType:1.2.840.113518.104.22.1683:=2147483648))'
Find group membership for a user with Get-ADPrincipalGroupMembership
PS51> Get-ADPrincipalGroupMembership -Identity <identity string or object>
Note that this command requires access to a global catalog.
Find groups in an OU, not including any sub-OUs
Get granular using the
SearchBase parameter to limit your search to a single OU using these two examples.
PS51> Get-ADGroup -Filter '*' -SearchBase '<distinguished name of OU>' -SearchScope OneLevel PS51> Get-ADGroup -LDAPFilter '(CN=*)' -SearchBase '<distinguished name of OU>' -SearchScope OneLevel
Find groups in an OU, including any sub-OUs
Do you need to find all groups in child OUs? Use a
PS51> Get-ADGroup -Filter '*' -SearchBase '<distinguished name of OU>' -SearchScope SubTree PS51> Get-ADGroup -LDAPFilter '(CN=*)' -SearchBase '<distinguished name of OU>' -SearchScope SubTree
That concludes our example-driven demo of managing AD groups with PowerShell. Grab a few of these, try them out in your organization and start automating!
More from Adam The Automator & Friends
Find out how many of your Active Directory users are using leaked passwords by running a free read-only scan with Specops Password Auditor.
Why not write on a platform with an existing audience and share your knowledge with the world?
We've put together a list of the resources we, at ATA, can wholeheartedly recommend.