« Creating a User Account in Active Directory with PowerShell | Main | Managing group membership in Active Directory with PowerShell (Part 2) »
Managing group membership in Active Directory with PowerShell (Part 1)
By Adam Bell | February 15, 2007
Adding users into groups, or groups into groups (if your functionality is set sufficiently) is relatively straight forwards. A good explanation of what changes when the domain/forest functionality is raised can be found here.
The Active Directory attributes that are responsible for group membership are MemberOf and Member. These two attributes are quite special because they are linked attributes. This is the mechanism behind how when you add a user to a group, that group automatically appears in the users MemberOf attribute. This works because the attributes use linkID’s. A much better description of which can be found here
There are a couple of things we need to be aware of when manipulating group membership programmatically:
If the account is only a member of it’s primary group, the memberOf attribute will be empty. This is documented in Microsoft KB article 275523.
So if the account has not had any other group membership associated with it, you would only really be able to query the Primary Group on the account for group related information. This is stored in the PrimaryGroupID attribute. As all users are, by default, a member of the same Primary Group, retrieving this would be more of an academic exercise than a practical one.
By default all users in the domain, have a PrimaryGroupID of 513. This number ties into the PrimaryGroupToken attribute on the group object, which for 513 is the Domain Users group. I don’t believe it’s any coincidence that this relates to the Well known SID for this group ;)
Another potential issue is highlighted in KB article 273272 which pertains to a rights issue when retrieving the attribute.
As an example, below we retrieve the group membership for Bella in the Test OU:
$rootDN = ([adsi]"").distinguishedName
$user = [adsi]("LDAP://cn=bella, ou=Test OU,"+$rootDN)
$user.memberOf
By default this will return nothing, as the property is not set. However if membership to other groups has been added to the account you will get a System.DirectoryServices.PropertyValueCollection returned, which contains the full DN of each group that the account is a member of.
You can enumerate this collection via:
$groups = $user.memberOf
foreach ($group in $groups)
{
write-host $group
}
Which will write out one line per group membership.
You can also access the information directly:
$groups = $user.memberOf
write-host $groups[1]
Which will display just the second group, the account is a member of.
As this is getting a bit long, I’ll split it into two parts. In the second installment I’ll show you how to add and remove members of a group.
- Managing group membership in Active Directory with PowerShell (Part 2)
- Raising Active Directory Domain and Forest functionality to Windows 2003 with PowerShell
- Searching Active Directory for Windows 2000 and Windows NT4 Domain Controllers with PowerShell
- Creating a User Account in Active Directory with PowerShell
- Dynamically populating user properties in Active Directory
Topics: Active Directory, PowerShell | 2 Comments »
July 27th, 2007 at 6:38 pm
[...] to the useful examples found at PowerShell Live, Lead, Follow or Move and O’reilly’s Active Directory Cookbook [VBScript], I was able to whip up a way to change a user’s [...]
January 19th, 2008 at 11:33 pm
[...] to Managing Active Directory Objects with PowerShell How to get DL membership in Exchange 2007 Managing group membership in Active Directory with PowerShell (Part 1) Managing group membership in Active Directory with PowerShell (Part 2) Powershell and [...]