Create Active Directory Group with Powershell

We all know how to create an Active Directory group via GUI. Right-click, select this select that and you are done.

But, doing this via PowerShell is a great way to manage computer accounts in Active Directory.

To be able to create, move, or delete AD groups, OUs, and so on, you need to have at least Windows PowerShell v 1.0 on the computer.

There is absolutely no reason not to use AD Module cmdlets. And by practicing a bit, you could end up working with PowerShell on a daily basis.

One thing before we start: in order to work with AD Module, you will have to import it first. There are two ways to import module into PowerShell.

First, open a PowerShell console and run: Get-Module to check which modules you have already imported.

AD_Module_Get_Module

As you may see, I don’t have much listed as imported. So, now run

Get-Module -ListAvailable

and check what modules do you have available for import.

AD_Module_Get_Module_ListAvailable

Cool. We have quite a lot of modules ready to be imported. But for the time being, we will focus on the first one: ActiveDirectory.

On the right side, under ‘ExportedCommands’, you could see that we have some commands like New-ADObject, Rename-ADObject, and so on. We will use some of them.

Lets get back to how to import a module. As I said earlier, there are two ways how to import Modules. First one is by using the command: Import-Module. Shall we try it now?

Import-Module ActiveDirectory

 

AD_Module_Get_Module_Import_module

Right after that command, I executed Get-Module once again to check if the module has been imported. And it was, as you can see on the latest screenshot.

The second option is just to run some of the cmdlets which are contained in the Active Directory module, like Get-ADObject -Filter *

Before you run this command, re-open PowerShell (when you close the PowerShell window, module is removed. There are ways how to make some modules permanent whenever you open your PowerShell console, but that is other topic), and run Get-Module once again. You will see that you are missing Active Directory module. Now run Get-ADObject -Filter *

AD_Module_New-ADObject

If you run again Get-Module, you will see Active Directory module being imported.

OK, so now when we have Module imported, lets try to create a group and an OU.

To create a group, run this command:

 

New-ADGroup -Name "Forwards" -GroupCategory Security -GroupScope Global -DisplayName "LiverpoolFC Forwards" -Path "CN=Users,DC=Liverpool,DC=local" -Description "Members of this group are Liverpool FC forwards for season 16/17"

 

Of course, you have to change -Path parameters, and you can give name of the group as you wish. But this is how it should look like when you decide to create a new group in your AD.

After you have run  the command, go and check if the group is there. In my case, I can see it under Users OU:

AD_Module_New-ADGroup

Or you could run:

 

get-adgroup -filter 'name -like "forwards"'

 

AD_Module_Get_ADGroup

Get-ADGroup is another cmdlet which is the part of Active Directory PowerShell Module.

To check what else you could do with this cmdlet, run help New-ADGroup -full and check what other options you have.

But lets say that we want to create a completely new Organizational Unit, where we will put all our Liverpool FC players in it. OK, lets do it!

To create a new Organizational Unit, first we need to find out which cmdlet we could use.

Run:

 

help organizational

 

AD_Module_Help

Awesome! We could use New-ADOrganizationalUnit to create a new OU.

Lets run: help

 

New-OrganizationalUnit -full

 

to check how to do it.

Check the syntax, and examples as well. Based on them, we have found out that we could use something like this:

 

New-ADOrganizationalUnit -Name Liverpool_Players -Path "DC=liverpool,DC=local"

 

AD_Module_New_ADOrganizationalUnit

Now, go and check if the OU is created in AD Users and Computers.

AD_Module_New_ADOrganizationalUnit_ADUC

Or you could use

 

Get-ADOrganizationalUnit -Filter 'Name -like "liverpool*"'

 

(in your case whatever name you used for OU name).

AD_Module_New_ADOrganizationalUnit_PS

Now, lets try to move our forwards group from OU Users into OU Liverpool_Players.

To do that we should run:

 

help adobject

 

and examine the results.

AD_Module_Help_ADObject

Awesome! We have Move-ADObject, which we could use to move our group from one OU to other.

Lets see what PowerShell has to say regarding this cmdlet: help Move-ADObject -full

So, we know that our global security group ‘Forwards’ is in CN=Users,DC=Liverpool,DC=local.

And we want to move it to OU Liverpool_Players, which is in DC=Liverpool,DC=Local

Lets do it!

 

Move-ADObject -Identity "CN=Forwards,CN=Users,DC=Liverpool,DC=local" -TargetPath "OU=Liverpool_Players,DC=Liverpool,DC=local"

 

Now, lets check if our global security group was moved from one OU to another.

AD_Module_Move_ADObject

And it is!!! Great job! We can check via PowerShell as well. Remember that Get-ADGroup cmdlet?

 

get-adgroup -filter 'name -like "forwards"'

 

Run this and compare it with the previous result.

Alright. This was just a short insight on what you could do with PowerShell module Active Directory. There are bunch of other cmdlets and commands which you could use to successfully manage Active Directory.

I have found myself that managing Active Directory via PowerShell is much easier and faster than via AD Users and Computers. But it requires a lot of practicing and time to spend on this.