« Creating an Organizational Unit in Active Directory with PowerShell | Main | Creating a User Account in Active Directory with PowerShell »
Creating Groups in Active Directory with PowerShell
By Adam Bell | February 12, 2007
Groups come in several flavours in Microsoft’s Active Directory. I’m not about to give you an in-depth on them here. If you’d like to find out more, read here about halfway down the page.
A more specific breakdown on the Groups, and their values can be found on MSDN here.
# Constants from: http://msdn2.microsoft.com/en-us/library/aa772263.aspx
Set-Variable -Name ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP -value 4 -option constant
Set-Variable -Name ADS_GROUP_TYPE_GLOBAL_GROUP -value 2 -option constant
Set-Variable -Name ADS_GROUP_TYPE_LOCAL_GROUP -value 4 -option constant
Set-Variable -Name ADS_GROUP_TYPE_UNIVERSAL_GROUP -value 8 -option constant
Set-Variable -Name ADS_GROUP_TYPE_SECURITY_ENABLED -value -2147483648 -option constant
Set-Variable -Name ADS_GROUP_TYPE_SECURITY_DOMAIN_LOCAL `
-value ($ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP `
-bor $ADS_GROUP_TYPE_SECURITY_ENABLED) -option constant
Set-Variable -Name ADS_GROUP_TYPE_SECURITY_DOMAIN_GLOBAL `
-value ($ADS_GROUP_TYPE_GLOBAL_GROUP `
-bor $ADS_GROUP_TYPE_SECURITY_ENABLED) -option constant
Set-Variable -Name ADS_GROUP_TYPE_SECURITY_UNIVERSAL `
-value ($ADS_GROUP_TYPE_UNIVERSAL_GROUP `
-bor $ADS_GROUP_TYPE_SECURITY_ENABLED) -option constant
# ---------------------------------------------------------------------------------------------------
# Bind to the root of the domain
$root = [adsi]""
$rootdn = $root.distinguishedname
# ---------------------------------------------------------------------------------------------------
function create-group
# ---------------------------------------------------------------------------------------------------
{
Param (
$Location,
$Group,
$scope,
$Description
)
# The domain DN is added so the OU location doesn't need to be a full DN :)
# This also doesn't tie you down to a specific Domain.
$ou = [adsi]("LDAP://"+$Location+","+$rootDN)
$newGroup = $ou.create("group", "cn="+$Group)
$newgroup.put("sAmAccountName", $Group)
$newGroup.Put("Description", $Description)
switch ($scope)
{
"Security Domain Local" {$Type = $ADS_GROUP_TYPE_SECURITY_DOMAIN_LOCAL}
"Security Domain Global" {$Type = $ADS_GROUP_TYPE_SECURITY_DOMAIN_GLOBAL}
"Security Universal" {$Type = $ADS_GROUP_TYPE_SECURITY_UNIVERSAL}
"Distribution Domain Local" {$Type = $ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP}
"Distribution Domain Global" {$Type = $ADS_GROUP_TYPE_GLOBAL_GROUP}
"Distribution Universal" {$Type = $ADS_GROUP_TYPE_UNIVERSAL_GROUP}
}
$NewGroup.put("grouptype", $Type)
$newGroup.SetInfo()
}
# ---------------------------------------------------------------------------------------------------
Create-Group "ou=Test OU" "Test Group" "Security Domain Local" "My Test Group"
There’s a few things worth noting in the function above:
The constant declarations show that the difference between a distribution group and a security group is the security group has been OR‘d with the ADS_GROUP_TYPE_SECURITY_ENABLED bit.
If you don’t specify a grouptype when creating the group it will default to Security Domain Global. That’s not something you can test in the function above, but ADSI behaviour.
If you compare the above function with the function I posted for creating OU’s on Friday, you can see that there isn’t a big difference. This is actually pretty consistent for object manipulation in Active Directory.
- Creating an Organizational Unit in Active Directory with PowerShell
- Creating a User Account in Active Directory with PowerShell
- Raising Active Directory Domain and Forest functionality to Windows 2003 with PowerShell
- Control Access Rights in Active Directory
- Active Directory Permissions – Standard Rights
Topics: Active Directory, PowerShell | No Comments »