Managing Active Directory Groups with PowerShell: The Ultimate Guide

Published:4 November 2024 - 3 min. read

Adam Bertram Image

Adam Bertram

Read more tutorials by Adam Bertram!

Audit your Active Directory for weak passwords and risky accounts. Run your free Specops scan now!

LinkedIn
As a Windows system administrator, managing Active Directory (AD) groups is probably something you do every day. While you could use the Active Directory Users and Computers (ADUC) MMC snap-in, what happens when you need to manage groups across multiple domains or automate group management tasks? That’s where PowerShell comes in handy. In this hands-on tutorial, you’re going to learn how to use PowerShell to manage AD groups like a pro. You’ll learn how to query groups, create new ones, and modify existing groups using practical real-world examples.

Prerequisites

If you’d like to follow along with this tutorial, be sure you have the following prerequisites in place:
  • A Windows computer (Windows 10/11 or Windows Server) joined to an Active Directory domain
  • A user account with permissions to manage AD groups

Querying AD Groups with PowerShell

Let’s start with a common scenario – you’re the new IT admin at a company and need to audit the AD group structure. Your manager wants to know what groups exist across different departments. The Get-ADGroup cmdlet will be your best friend here.

Active Directory group management gets easier when the PowerShell and directory-service fundamentals are fresh. If you want a structured path before applying this in production, compare Active Directory and PowerShell courses on Udemy before you buy.

Finding Groups by Name

Perhaps the simplest task is finding groups containing specific text in their name. For example, to find all groups with “Sales” in the name: 
Get-ADGroup -Filter 'Name -like "Sales"'
The asterisks (*) are wildcards, matching any characters before or after “Sales”. This command will return all groups that have “Sales” anywhere in their name.

Filtering by Group Type

Maybe you only want to see security groups (not distribution groups). You can add additional filter criteria using the -and operator: 
Get-ADGroup -Filter 'Name -like "Sales" -and GroupCategory -eq "Security"'
Now you’ll only see security groups that have “Sales” in their name.

Searching in Specific OUs

Need to find groups in a particular organizational unit (OU)? Use the SearchBase parameter: 
Get-ADGroup -Filter * -SearchBase 'OU=Engineering,DC=company,DC=local'
This command finds all groups within the Engineering OU and its child OUs.

Finding Recently Created Groups

Want to see which groups were created after a certain date? Filter on the whenCreated attribute: 
Get-ADGroup -Filter 'whenCreated -ge "2023-01-01"'
This returns all groups created on or after January 1st, 2023.

Creating New AD Groups

Now let’s look at creating new groups. Maybe your company is restructuring and you need to create groups for new departments.

Creating a Security Group

Here’s how to create a new security group for IT support staff: 
New-ADGroup -Name "IT_Support" `
            -GroupScope Global `
            -GroupCategory Security `
            -Description "Group for IT support staff" `
            -Path "OU=IT,DC=company,DC=local"
This creates a global security group called “IT_Support” in the IT organizational unit.

Creating a Distribution Group

Need an email distribution group? Just change a few parameters: 
New-ADGroup -Name "Marketing_News" `
            -GroupScope DomainLocal `
            -GroupCategory Distribution `
            -Description "Group for receiving marketing updates" `
            -Path "OU=Marketing,DC=company,DC=local"

Creating Multiple Groups at Once

Got multiple similar groups to create? Use a loop: 
$regions = "North", "South", "East", "West"
foreach ($region in $regions) {
    New-ADGroup -Name "Sales_$region" `
                -GroupScope Global `
                -GroupCategory Security `
                -Description "Sales team for $region region" `
                -Path "OU=Sales,DC=company,DC=local"
}

Modifying Existing Groups

Things change in organizations. Groups need to be renamed, descriptions updated, and scopes modified. Let’s see how to handle these tasks.

Renaming Groups

To rename a group, you’ll need to change both its name and samAccountName: 
# First rename the group object
Get-ADGroup EngineeringTeam | Rename-ADObject -NewName TechTeam

# Then update the samAccountName
Get-ADGroup EngineeringTeam | Set-ADGroup -SamAccountName TechTeam

Updating Group Descriptions

Need to update a group’s description? One line with Set-ADGroup: 
Get-ADGroup TechTeam | Set-ADGroup -Description 'Technical Team for Engineering Projects'

Changing Group Scope

If you need to change a group’s scope (like from Global to Universal): 
Get-ADGroup TechTeam | Set-ADGroup -GroupScope Universal

Pro Tips

Here are some tips to make your AD group management even more efficient:
    1. Always use `-Filter` instead of `-Identity` when querying multiple groups – it’s more efficient
    2. Remember that group scope can’t be changed if the group has members – remove members first
    3. Use the `-WhatIf` parameter when making changes to preview what would happen
    4. Always test your group changes in a non-production environment first

Summary

You should now have a solid foundation for managing AD groups with PowerShell. While the Active Directory Users and Computers snap-in is great for one-off tasks, PowerShell gives you the power to automate and manage groups at scale. Remember – the examples shown here are just the beginning. PowerShell’s AD cmdlets are incredibly powerful and flexible. As you become more comfortable with these basics, you can build more complex solutions to match your organization’s needs. Need to learn more about Active Directory PowerShell? Check out our other tutorials:

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

More from ATA Learning and Partners

Looks like you're offline!