Manipulating Groups in Windows 2008 R2 using AD PowerShell Script.
In Windows 2008 R2, a series of PowerShell Script is added to manage Active Directory. You can invoke “Active Directory PowerShell” from administrative tools under start menu.
There are different commands available to manipulate AD objects.
- Get-ADGroup: Returns one or more Active Directory Groups.
- New-ADGroup: Creates an active directory group.
- Remove-ADGroup: Removes an active directory group.
- Set-ADGroup: It modifies an Active directory group.
Today, I’m going to talk about these commands. I’ll list out the commands to accomplish most common Group management tasks.
1. Example of Get-ADGroup Command:
- How to get list of security groups but not Distribution group?
Get-ADGroup –Filter ‘GroupCategory –eq “Security”’
- How to get list of Distribution groups but not Security group?
Get-ADGroup –Filter ‘GroupCategory –eq “Distribution”’
- List out all DomainLocal Groups in the domain.
Get-ADGroup –Filter ‘GroupScope –eq “DomainLocal”’
- List out all Global Groups in the domain.
Get-ADGroup –Filter ‘GroupScope –eq “Global”’
- List out Universal Groups
Get-ADGroup –Filter ‘GroupScope –eq “Universal”’
You can also use wildcard character to search for groups. Following command lists out all the group containing word “admin”
Get-ADGroup –Filter ‘Name –like “*admin*”’
We can also combine conditions. For example we want to list out all the Universal groups containing “admin” word.
Get-ADGroup –Filter ‘Name –like “*admin*” –and GroupScope –eq “Universal”’
You can use following operators in Active directory PowerShell.
Logical Operator |
Description |
-eq |
Equal to. It doesn’t support wild card search. |
-ne |
Not equal to. It doesn’t support wild card search. |
-like |
Equal to and supports wildcard comparison. The only wildcard character supported is: * |
-notlike |
Not equal to. Supports wild card comparison. |
-approx |
Approximately equal to |
-le |
Lexicographically less than or equal to |
-lt |
Lexicographically less than |
-ge |
Lexicographically greater than or equal to |
-gt |
Lexicographically greater than |
-and |
AND |
-or |
OR |
-not |
NOT |
-bor |
Bitwise OR |
-band |
Bitwise AND |
2. Example of New-ADGroup Command:
The following command creates a Domain Local Security Group named “Helpdesk Admins” under Users container.
New-ADGroup –Name “HelpDesk Admins” –SamAccountName HelpDeskAdmins –GroupCategory Security –GroupScope DomainLocal –DisplayName “HelpDesk Admins” –Path “CN=Users,DC=W2k8Microsoft,DC=local”
3. Example of Remove-ADGroup Command:
The following command removes the group created in 2nd step.
Remove-ADGroup HelpDeskAdmins
You can also remove groups based on Wildcard Character. For example, you want to delete all the groups ending with “admins”
Get-ADGroup –Filter ‘Name –like “*admins”’ | Remove-ADGroup
The above command combines 2 commands with help of “|” sign. Pipe sign redirects the output of Get-ADGroup command as input to Remove-ADGroup command.
4. Example of Set-ADGroup Command:
The following command will convert the helpdeskadmins domain local group to Universal group. We have created this group in Step 2.
Set-ADGroup HelpDeskAdmins –GroupScope Universal
The following command populates the Description field of HelpDeskAdmin Group.
Set-ADGroup HelpDeskAdmins –Description “This is Help Desk Administrator Group”
You can also combine the multiple commands with help of |. For example, if we want to convert all domainLocal Groups ending with admins to universal group.
Get-ADGroup –Filter ‘Name –like “*admins” –and GroupScope –eq “DomainLocal”’ | Set-ADGroup –GroupScope Universal
I hope this post is informative. In next post I’ll discuss more about Active Directory PowerShell commands.