We all know how to create an Active Directory group via GUI. Right-click, select this select that and you are done.
But, doing this via PowerShell is a great way to manage computer accounts in Active Directory.
To be able to create, move, or delete AD groups, OUs, and so on, you need to have at least Windows PowerShell v 1.0 on the computer.
There is absolutely no reason not to use AD Module cmdlets. And by practicing a bit, you could end up working with PowerShell on a daily basis.
One thing before we start: in order to work with AD Module, you will have to import it first. There are two ways to import module into PowerShell.
First, open a PowerShell console and run: Get-Module to check which modules you have already imported.
As you may see, I don’t have much listed as imported. So, now run
and check what modules do you have available for import.
Cool. We have quite a lot of modules ready to be imported. But for the time being, we will focus on the first one: ActiveDirectory.
On the right side, under ‘ExportedCommands’, you could see that we have some commands like New-ADObject, Rename-ADObject, and so on. We will use some of them.
Lets get back to how to import a module. As I said earlier, there are two ways how to import Modules. First one is by using the command: Import-Module. Shall we try it now?
Right after that command, I executed Get-Module once again to check if the module has been imported. And it was, as you can see on the latest screenshot.
The second option is just to run some of the cmdlets which are contained in the Active Directory module, like Get-ADObject -Filter *
Before you run this command, re-open PowerShell (when you close the PowerShell window, module is removed. There are ways how to make some modules permanent whenever you open your PowerShell console, but that is other topic), and run Get-Module once again. You will see that you are missing Active Directory module. Now run Get-ADObject -Filter *
If you run again Get-Module, you will see Active Directory module being imported.
OK, so now when we have Module imported, lets try to create a group and an OU.
To create a group, run this command:
New-ADGroup -Name "Forwards" -GroupCategory Security -GroupScope Global -DisplayName "LiverpoolFC Forwards" -Path "CN=Users,DC=Liverpool,DC=local" -Description "Members of this group are Liverpool FC forwards for season 16/17"
Of course, you have to change -Path parameters, and you can give name of the group as you wish. But this is how it should look like when you decide to create a new group in your AD.
After you have run the command, go and check if the group is there. In my case, I can see it under Users OU:
Or you could run:
get-adgroup -filter 'name -like "forwards"'
Get-ADGroup is another cmdlet which is the part of Active Directory PowerShell Module.
To check what else you could do with this cmdlet, run help New-ADGroup -full and check what other options you have.
But lets say that we want to create a completely new Organizational Unit, where we will put all our Liverpool FC players in it. OK, lets do it!
To create a new Organizational Unit, first we need to find out which cmdlet we could use.
Awesome! We could use New-ADOrganizationalUnit to create a new OU.
Lets run: help
to check how to do it.
Check the syntax, and examples as well. Based on them, we have found out that we could use something like this:
New-ADOrganizationalUnit -Name Liverpool_Players -Path "DC=liverpool,DC=local"
Now, go and check if the OU is created in AD Users and Computers.
Or you could use
Get-ADOrganizationalUnit -Filter 'Name -like "liverpool*"'
(in your case whatever name you used for OU name).
Now, lets try to move our forwards group from OU Users into OU Liverpool_Players.
To do that we should run:
and examine the results.
Awesome! We have Move-ADObject, which we could use to move our group from one OU to other.
Lets see what PowerShell has to say regarding this cmdlet: help Move-ADObject -full
So, we know that our global security group ‘Forwards’ is in CN=Users,DC=Liverpool,DC=local.
And we want to move it to OU Liverpool_Players, which is in DC=Liverpool,DC=Local
Lets do it!
Move-ADObject -Identity "CN=Forwards,CN=Users,DC=Liverpool,DC=local" -TargetPath "OU=Liverpool_Players,DC=Liverpool,DC=local"
Now, lets check if our global security group was moved from one OU to another.
And it is!!! Great job! We can check via PowerShell as well. Remember that Get-ADGroup cmdlet?
get-adgroup -filter 'name -like "forwards"'
Run this and compare it with the previous result.
Alright. This was just a short insight on what you could do with PowerShell module Active Directory. There are bunch of other cmdlets and commands which you could use to successfully manage Active Directory.
I have found myself that managing Active Directory via PowerShell is much easier and faster than via AD Users and Computers. But it requires a lot of practicing and time to spend on this.