Managing Active Directory Groups with PowerShell

The Active Directory Users and Computer (ADUC) graphical snap-in is not the only tool for managing security groups in Active Directory. You can use simple PowerShell commands for day to day management of user groups in your Active Directory domain. In this article, we’ll look at how to use PowerShell to create a new group in AD, add users to it (or delete), display/export a list of group users, and other useful commands that are often used when administering AD groups.

To manage AD groups, you can use the Active Directory Module for Windows PowerShell. The RSAT-AD-PowerShell module is available in all versions of Windows Server (starting with Windows Server 2008R2), and it can be installed as an RSAT feature on Windows 10 and Windows 11 desktops.

Check if the AD module is loaded into the current PowerShell session:

Get-Module -Listavailable

As you can see, the ActiveDirectory module is loaded. If not, import it using this command:

Import-Module ActiveDirectory

Let’s list the PowerShell cmdlets that allow you to manage AD groups:

Get-Command -Module ActiveDirectory -Name "*Group*"

There are 11 cmdlets available:

• Add-ADGroupMember
• Add-ADPrincipalGroupMembership
• Get-ADAccountAuthorizationGroup
• Get-ADGroup
• Get-ADGroupMember
• Get-ADPrincipalGroupMembership
• New-ADGroup
• Remove-ADGroup
• Remove-ADGroupMember
• Remove-ADPrincipalGroupMembership
• Set-ADGroup

New-ADGroup: Creating a New AD Group with PowerShell

Create a new security group in the specified Active Directory container (OU) using the New-ADGroup command:

New-ADGroup "TestADGroup" -path 'OU=Groups,OU=NY,OU=US,DC=corp,dc=woshub,DC=com' -GroupScope Global -PassThru –Verbose

You can use the Description and DisplayName attributes to specify the group description and display name.

You can use the GroupScope parameter can to set one of the following types of groups:

• 0 = DomainLocal
• 1 = Global
• 2 = Universal

You can create a distribution group as follows:

New-ADGroup "TestADGroup-Distr" -path 'OU=Groups,OU=NY,OU=US,DC=corp,dc=woshub,DC=com' -GroupCategory Distribution -GroupScope Global -PassThru –Verbose

When creating an AD group, you can fill in any attributes. The easiest way to set the values of various group attributes is through a hashtable:

$attrs = @{"mail"="[email protected]";"displayname"="ALL Munich Admins"}
New-ADGroup -Name MUNAdmins -GroupScope Global -OtherAttributes $attrs

Adding Users to Active Directory via Add-AdGroupMember

You can add users to an Active Directory group using the Add-AdGroupMember cmdlet. Let’s add two users to the new group:

Add-AdGroupMember -Identity TestADGroup -Members user1, user2

If you need to add a large number of users to a group at once, you can save the list of usernames to a CSV file, thenimport this CSV file to PowerShell and add each user to the group using a simple PowerShell script.

The format of the CSV file should be as follows (users must be listed by one in a row with users as the column header).

Import-CSV .\users.csv -Header users | ForEach-Object {Add-AdGroupMember -Identity ‘TestADGroup’ -members $_.users}

To get all members of a group (groupX) and add them to another group (groupY), use this command:

Get-ADGroupMember “GroupX” | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity “Group-Y” -Members $_}

If you need to copy the members of all nested groups to a new group (recursively), run this command:

Get-ADGroupMember -Identity “GroupX” -Recursive | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity “GroupY” -Members $_}

You can use the temporary (time-based) group membership feature in Active Directory with Windows2016Forest schema and newer. To temporarily add a user to the AD group (for example, for 1 hour), run the command:

$ttl = New-TimeSpan -Minutes 60
Add-ADGroupMember -Identity "Domain Admins" -Members j.lennon -MemberTimeToLive $ttl

After an hour, this user will be automatically removed from this security group.

Remove-ADGroupMember: Removing Users from AD Group with PowerShell

To remove users from the AD group, use the Remove-ADGroupMember cmdlet. Let’s remove two users from the group:

Remove-ADGroupMember -Identity TestADGroup -Members user1, user2

Confirm user removal:

If you have to remove users from a group according to the users’ list from a CSV file, use this command:

Import-CSV .\users.csv -Header users | ForEach-Object {Remove-ADGroupMember -Identity ‘TestADGroup’ -members $_.users}

Find Active Directory Groups with Get-ADGroup

The Get-ADGroup cmdlet will help you to get information about the AD domain group:

Get-ADGroup 'TestADGroup'

This command displays information about the main attributes of the group (DN, group type, name, SID). To display the values of all group attributes, run the following command:

Get-ADGroup 'TestADGroup' -properties *

As you can see, such attributes, like time of group creation and modification, description, etc., are now displayed.

You can use the Get-ADGroup cmdlet to search for groups in AD by patterns. For example, the following commands can be used to find all AD groups that contain the phrase admins in their name:

Get-ADGroup -LDAPFilter “(name=*admins*)” | Format-Table

Or:

Get-ADGroup -Filter {name -like "*admins*"} -Properties Description,info | Select Name,samaccountname,Description,info

Using Get-ADGroup, you can get a list of group members (stored in the members attribute):

Get-ADGroup -Identity "Domain Admins" -Properties members | Select-Object -ExpandProperty members

However, it is much more convenient to use the Get-ADGroupMember cmdlet to get group membership.

Get-ADGroupMember: How to Get and Export Active Directory Group Members?

The Get-ADGroupMember cmdlet lets you get the members of an AD group. These can be users, computers, other groups, or managed service accounts (MSA/gMSA).

Get-ADGroupMember 'TestADGroup'

To display only usernames in the results, run:

Get-ADGroupMember 'TestADGroup'| ft name

If this group includes other domain groups, use the Recursive parameter to display the full list of members including all nested groups.

Get-ADGroupMember ADadmins -recursive| ft name

To export the list of accounts being the members of a specific group into a CSV file (for further use in Excel), run the following command:

Get-ADGroupMember 'ADadmins' -recursive| ft samaccountname| Out-File c:\PS\ADadminsList.csv

You can export information about users in a group to a text file. The Get-ADUser cmdlet is used to get the extended attributes of a user. For example, in addition to the account name, you can display the UserPrincipalName, position, and phone number of the group users:

Get-ADGroupMember -Identity ADadmins -recursive| foreach { Get-ADUser $_ -properties title, OfficePhone|Select-Object title, OfficePhone }

You can count the number of users in a group like this:

(Get-ADGroupMember -Identity 'domain admins').Count

To get the list of empty groups in a specific OU, use this command:

Get-ADGroup -Filter * -Properties Members -searchbase “OU=NY,OU-US,DC=corp,dc=woshub,DC=com”  | where {-not $_.members} | select Name

The Get-ADGroupMember cmdlet can be used to create a simple PowerShell script that notifies an administrator that someone has added a new user to a specific AD group.

Set-ADGroup: Modifying Active Director Group Attributes

The Set-ADGroup cmdlet lets you change the properties (attributes) of any Active Directory group. For example, you can change the description and name of a group:

Set-ADGroup -Identity MunAdmins -Description “Munich Admins Group”

Or:

Get-ADGroup -Identity MunAdmins | Set-ADGroup -Description “Munich Admins Group”

Hide a specific group from the Exchange GAL:

Set-ADGroup –id MunAdmins -replace @{hideDLMembership=$true}

You can change several group attributes at once. It is convenient to set the list of changes using the HashTable:

$attrs = @{"mail"="[email protected]";"displayname"="ALL MUN Admins"}
Set-ADGroup -Identity MunAdmins –Add $attrs

Remove-ADGroup: How to Delete a Group in Active Directory Using PowerShell?

To remove groups in Active Directory, use the Remove-ADGroup cmdlet:

Remove-ADGroup -Identity MunSales

When deleting a group, you are prompted to confirm the deletion. To disable removal confirmation, add the Confirm switch:

Remove-ADGroup -Identity MunSales –Confirm:$false