In this post, I’ll show you how to create and delete Active Directory groups. I’ll also show you how to add and remove user and computer objects to and from AD groups.
Managing Active Directory (AD) groups with PowerShell is easy with the Active Directory module for Windows PowerShell. In this article, I’ll show you how to use New-ADGroup, Remove-ADGroup, Add-ADGroupMember, and Remove-ADGroupMember to manage groups. Let’s start by creating a new Active Directory group.
Before carrying out the instructions below, you must be logged in to Windows with a domain user account that has permission to add and remove groups in Active Directory. You must also have the Active Directory module for Windows PowerShell installed on the device where you want to run the PowerShell cmdlets.
Add and Remove AD Groups with PowerShell
Open a PowerShell window on your management PC and run the command below, which will create a new domain local group called Helpdesk in Active Directory.
New-ADGroup -Name Helpdesk -Description ‘User support’ -GroupScope DomainLocal
The -GroupScope parameter can be set to DomainLocal, Global, or Universal. Note that if you want to create a group name that contains a space, you must enclose the group name in quotation marks or apostrophes, much like I have with the value ‘User support’ in the command above.
There are lots more parameters that you can add to the New-ADGroup cmdlet. The command below also creates a group called Helpdesk but adds some of the additional parameters, including -Path to create the group in the Users container in the ad.contoso.com domain.
New-ADGroup -Name Helpdesk -SamAccountName ‘Helpdesk’ -GroupCategory Security -GroupScope DomainLocal -DisplayName Helpdesk -Path ‘CN=Users,DC=ad,DC=contoso,DC=com’ -Description ‘User support’
Removing a group is easy with the Remove-ADGroup cmdlet. Note that instead of -Name it uses a parameter called -Identity. The command below removes the AD group called Helpdesk. Because group names are unique in the domain, there’s no need to specify other parameters like -Path and -SamAccountName.
Remove-ADGroup -Identity Helpdesk
Add and Remove Objects in AD Groups with PowerShell
Now that we have created a group in Active Directory, let’s look at how to add and remove objects in groups. To add users to an AD group, use the Add-ADGroupMember cmdlet. In the command below, I’m adding two users to the Helpdesk group.
Add-ADGroupMember -Identity Helpdesk -Members JoeBlogs,DavidSmith
Removing an object from a group is simple with the Remove-ADGroupMember cmdlet:
Remove-ADGroupMember -Identity Helpdesk -Members DavidSmith
If you want to add or remove computer account objects to or from a group, you can use the Add-ADGroupMember and Remove-ADGroupMember cmdlets as shown above but you must add a dollar symbol to the end of the computer account name to signify that you want to add a computer account and not a user account object. The command below adds a computer account to the Helpdesk group.
Add-ADGroupMember -Identity Helpdesk -Members privworkstation1$
Conclusion
Making sure that your Active Directory groups are properly managed is vital when it comes to mitigating the risks of privilege abuse. For a more continuous and automated way of auditing and monitoring Active Directory, start your free trial of Lepide Active Directory Auditor today.