• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

PowerShell AD Group Members

February 8, 2023 by Mister PKI Leave a Comment

This article will demonstrate how to use PowerShell for AD Group Members management. While it can be easy for beginners to use the Active Directory Users and Computers tool, PowerShell can provide more power, automation, and efficiency in performing identity management functions including group management. We will demonstrate some of the most common PowerShell commands for AD Group management functions.

AD Group Management PowerShell Examples

Remote PowerShell AD Group Management

If your computer is joined to a domain and your domain account has the appropriate permissions for the PowerShell functions you are trying to perform, do not worry about this step. For those that are running a VPN connection from a laptop or other computer that is not joined to the domain, it’s useful to run remote commands. Most if not all PowerShell commands for Active Directory support the -Credential option, allowing you to connect to Active Directory with your domain credentials. This of course assumes the VPN network is aware of the domain.

To store your domain credentials in a variable in PowerShell, run the following command.

$credential = Get-Credential ""

You will be prompted to enter your domain credentials. After doing so, the $credential variable is available to include as a parameter to subsequent commands.

Get AD User with PowerShell

What may be the most common AD command, Get-ADUser is often a first step in performing group management functions. While not group specific, we thought it worthwhile to include the example here.

Get-ADUser -Credential $credential -Identity <samAccountName> -Properties memberOf | Select memberOf

In the output you will be shown all of the groups a user is a member of. Notice however that if the list of groups is long, the output will be cut off. You can add the -ExpandProperty option to show all of the groups. Note that the Get-ADUser results are being piped into the Select.

Get-ADUser -Credential $credential -Identity <samAccountName> -Properties memberOf | Select memberOf -ExpandProperty memberOf
-CredentialYour domain credentials
-IdentityThe samAccountName of the user your are querying group membership for
-PropertiesThe memberOf attribute or any other attribute you wish to get data for
-ExpandPropertyExpand the property to display all results

Get AD Group Member with PowerShell

The Get-ADGroupMember command will show all members in a given group.

Get-ADGroupMember -Credential $credential -Identity <samAccountName>

Note that in the event passing the samAccountName doesn’t work, you can pass the full distinguished name in quotes.

To flatten out the group membership with nested or child groups, include the -Recursive option.

Get-ADGroupMember -Credential $credential -Identity <samAccountName> -Recursive

Get AD Group with Powershell

To get a security group in Active Directory, use the Get-ADGroup command.

Get-ADGroup -Credential $credential -Identity <samAccountName>

Get groups for a given user in PowerShell

The Get-ADUser command allows you to select the memberOf attribute and expand it. There is a convenience function for doing this same thing, the Get-ADPrincipalGroupMembership command. Other than the long name, it’s convenient.

Get-ADPrincipalGroupMembership -Credential $credential -Identity <samAccountName>

The down side to this command is the extensive output of the groups. The Get-ADUser memberOf example will only display the distinguished name of the group, whereas this command displays much more data. Alternatively, you can pipe the output into a Select to only select specific attributes, such as the distinguishedName.

Get-ADPrincipalGroupMembership -Credential $credential -Identity <samAccountName> | Select distinguishedName

Add AD Group Member with PowerShell

To add a domain user to a group, use the Add-ADGroupMember command.

Add-ADGroupMember -Identity <groupSamAccountName> -Members <userSamAccountName>
-IdentityThe samAccountName of the group you are adding a user to
-MembersThe samAccountName of the users you are adding to the group. This argument takes a comma delimiter list.

Create AD Group with PowerShell

To create a new security or distribution group in Active Directory with Powershell, run the following command.

New-ADGroup -Credential $credential -Name "exampleGroup" -SamAccountName exampleGroup -GroupCategory Security -GroupScope Global -DisplayName "Example Group" -Path "CN=Groups,DC=example,DC=com" -Description "Example Group"
-Name
-SamAccountNameThe identifier of the group
-GroupCategory0=distribution, 1=security
-GroupScope0=DomainLocal, 1=Global, 2=Universal
-DisplayNameThe name to be displayed for the group.
-PathThe distinguished name of the location the group will reside.
-DescriptionDescription for the purpose of the group. Not required, but recommended for documentation purposes

Remove AD Group with PowerShell

To remove an Active Directory Group with PowerShell, run the following command.

Remove-ADGroup -Credential $credential -Identity <samAccountName>

Remove AD Group Member with PowerShell

To remove a member from a group in AD, run the following command.

Remove-ADGroupMember -Credential $credential -Identity <groupSamAccountName> -Members <userSamAccountName>

To remove multiple domain users from the same group, the -Members option will accepts a comma delimiter list of users.

Modify an AD group with PowerShell

The Set-ADGroup command modifies the property of an AD group.

Set-ADGroup -Credential $credential -Identity <samAccountName> -Description "Changed Description"

This specific example changed the group description.

Flags other than -Description are also supported. They include the following.

  • DisplayName
  • SamAccountName
  • Replace (can be used to replace any attribute on the group)

Execute Remote AD Group Management Script

The previous examples have demonstrated how to execute various AD group management functions using the -Credential option if on a remote computer or as another more privileged user.

This example will demonstrate how to execute a more involved or advanced function that may require multiple lines of code or even simplify the remembrance of the official AD Group Management PowerShell command syntax.

Conclusion

This article has demonstrated how to perform various PowerShell commands to manage AD Groups, Members, Group Memberships, and more. Let us know in the comments if you have any questions or would like to see additional examples. If you found this article helpful, check out more of our content.

Identity Management,  powershell

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • Proxy Addresses Active Directory
  • Windows Private Key Permissions
  • Install .NET 3.5 on Windows Server 2019
  • Netscaler SSL Redirect
  • How to mount NFS share on Linux

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2023