This article will demonstrate how to use PowerShell for AD Group Members management. While it can be easy for beginners to use the Active Directory Users and Computers tool, PowerShell can provide more power, automation, and efficiency in performing identity management functions including group management. We will demonstrate some of the most common PowerShell commands for AD Group management functions.
AD Group Management PowerShell Examples
Remote PowerShell AD Group Management
If your computer is joined to a domain and your domain account has the appropriate permissions for the PowerShell functions you are trying to perform, do not worry about this step. For those that are running a VPN connection from a laptop or other computer that is not joined to the domain, it’s useful to run remote commands. Most if not all PowerShell commands for Active Directory support the -Credential option, allowing you to connect to Active Directory with your domain credentials. This of course assumes the VPN network is aware of the domain.
To store your domain credentials in a variable in PowerShell, run the following command.
$credential = Get-Credential ""
You will be prompted to enter your domain credentials. After doing so, the $credential variable is available to include as a parameter to subsequent commands.
Get AD User with PowerShell
What may be the most common AD command, Get-ADUser is often a first step in performing group management functions. While not group specific, we thought it worthwhile to include the example here.
Get-ADUser -Credential $credential -Identity <samAccountName> -Properties memberOf | Select memberOf
In the output you will be shown all of the groups a user is a member of. Notice however that if the list of groups is long, the output will be cut off. You can add the -ExpandProperty option to show all of the groups. Note that the Get-ADUser results are being piped into the Select.
Get-ADUser -Credential $credential -Identity <samAccountName> -Properties memberOf | Select memberOf -ExpandProperty memberOf
-Credential | Your domain credentials |
-Identity | The samAccountName of the user your are querying group membership for |
-Properties | The memberOf attribute or any other attribute you wish to get data for |
-ExpandProperty | Expand the property to display all results |
Get AD Group Member with PowerShell
The Get-ADGroupMember command will show all members in a given group.
Get-ADGroupMember -Credential $credential -Identity <samAccountName>
Note that in the event passing the samAccountName doesn’t work, you can pass the full distinguished name in quotes.
To flatten out the group membership with nested or child groups, include the -Recursive option.
Get-ADGroupMember -Credential $credential -Identity <samAccountName> -Recursive
Get AD Group with Powershell
To get a security group in Active Directory, use the Get-ADGroup command.
Get-ADGroup -Credential $credential -Identity <samAccountName>
Get AD Group wildcard search
If you know a word within a group name but do not know the exact cn, samAccountName, or identity of the group you can perform a wildcard search for the AD group.
Get-ADGroup -Filter {name -like "*test*"}
Get groups for a given user in PowerShell
The Get-ADUser command allows you to select the memberOf attribute and expand it. There is a convenience function for doing this same thing, the Get-ADPrincipalGroupMembership command. Other than the long name, it’s convenient.
Get-ADPrincipalGroupMembership -Credential $credential -Identity <samAccountName>
The down side to this command is the extensive output of the groups. The Get-ADUser memberOf example will only display the distinguished name of the group, whereas this command displays much more data. Alternatively, you can pipe the output into a Select to only select specific attributes, such as the distinguishedName.
Get-ADPrincipalGroupMembership -Credential $credential -Identity <samAccountName> | Select distinguishedName
Add AD Group Member with PowerShell
To add a domain user to a group, use the Add-ADGroupMember command.
Add-ADGroupMember -Identity <groupSamAccountName> -Members <userSamAccountName>
-Identity | The samAccountName of the group you are adding a user to |
-Members | The samAccountName of the users you are adding to the group. This argument takes a comma delimiter list. |
Create AD Group with PowerShell
To create a new security or distribution group in Active Directory with Powershell, run the following command.
New-ADGroup -Credential $credential -Name "exampleGroup" -SamAccountName exampleGroup -GroupCategory Security -GroupScope Global -DisplayName "Example Group" -Path "CN=Groups,DC=example,DC=com" -Description "Example Group"
-Name | |
-SamAccountName | The identifier of the group |
-GroupCategory | 0=distribution, 1=security |
-GroupScope | 0=DomainLocal, 1=Global, 2=Universal |
-DisplayName | The name to be displayed for the group. |
-Path | The distinguished name of the location the group will reside. |
-Description | Description for the purpose of the group. Not required, but recommended for documentation purposes |
Remove AD Group with PowerShell
To remove an Active Directory Group with PowerShell, run the following command.
Remove-ADGroup -Credential $credential -Identity <samAccountName>
Remove AD Group Member with PowerShell
To remove a member from a group in AD, run the following command.
Remove-ADGroupMember -Credential $credential -Identity <groupSamAccountName> -Members <userSamAccountName>
To remove multiple domain users from the same group, the -Members option will accepts a comma delimiter list of users.
Modify an AD group with PowerShell
The Set-ADGroup command modifies the property of an AD group.
Set-ADGroup -Credential $credential -Identity <samAccountName> -Description "Changed Description"
This specific example changed the group description.
Flags other than -Description are also supported. They include the following.
- DisplayName
- SamAccountName
- Replace (can be used to replace any attribute on the group)
Execute Remote AD Group Management Script
The previous examples have demonstrated how to execute various AD group management functions using the -Credential option if on a remote computer or as another more privileged user.
This example will demonstrate how to execute a more involved or advanced function that may require multiple lines of code or even simplify the remembrance of the official AD Group Management PowerShell command syntax.
Conclusion
This article has demonstrated how to perform various PowerShell commands to manage AD Groups, Members, Group Memberships, and more. Let us know in the comments if you have any questions or would like to see additional examples. If you found this article helpful, check out more of our content.
Leave a Reply