Upcoming Webinar: PowerShell security best practices
ScriptRunner Blog
Adding Active Directory users, groups and computers with PowerShell
Table of contents
- Installing the PowerShell module for Active Directory administration
- Creating AD objects with PowerShell
- Managing Groups in PowerShell
- Controlling Group Memberships
- Adding users to multiple groups
- Adding groups to groups based on OU or AD attributes
- Removing users from groups
- Controlling group memberships between domains
- Related Links

In PowerShell, it is relatively easy to create user accounts and groups, add users to groups or remove users from groups. In order for the cmdlets to be available, the corresponding PowerShell module must be installed on the client or server.
Installing the PowerShell module for Active Directory administration
On domain controllers, the PowerShell module is automatically installed with the other management tools. On Windows 10 and Windows 11 machines, the installation is done through the Features on Demand feature. The settings for this can be found in the Settings apps of Windows 10 and Windows 11. These optional features are available via Settings\Apps. Via this, the RSAT: Tools for Active Directory Domain Services and Lightweight Directory Services are available as part of the RSAT Tools. With Windows 11, you also have to click on Show features.
With the Install button, the integration of the module takes place. By installing this feature, the PowerShell module for Active Directory is also available.
Installing the Active Directory module for PowerShell in Windows 10
On servers, installation is done by adding the Remote Administration Tools for Active Directory in Server Manager. Alternatively, the Windows Admin Center can be used to add the Active Directory Extension.
On Windows servers, the Active Directory management tools can also be installed using PowerShell. For this purpose the command Install-WindowsFeature RSAT-AD-PowerShell is used.
Installing the remote server management tools on servers
Creating AD objects with PowerShell
To retrieve Active Directory objects such as computers, users or groups in PowerShell, Microsoft provides numerous cmdlets.
The quickest way to display a list is to use the Get-Command Get-Ad* command. To create new objects, there are also numerous cmdlets. The list is displayed by typing Get-Command New-Ad*.
A list of commands for deleting objects is displayed by PowerShell with Get-Command Remove-Ad*. Changes to Active Directory objects are made with Set cmdlets. A list is displayed with Get-Command Set-Ad*.
A list of all Active Directory management cmdlets is available with the following command:
Get-Command -Module ActiveDirectory
This allows you to quickly assemble commands and create scripts that can be used to create new objects and also customize the objects at the same time. The advantage PowerShell is, that it can also be used to customize multiple groups at the same time and that it can script tasks. There's an option for a graphical user interface.
Managing Groups in PowerShell
Managing groups in PowerShell is done primarily with the following cmdlets:
- Add-ADGroupMember
- Add-ADPrincipalGroupMembership
- Get-ADAccountAuthorizationGroup
- Get-ADGroup
- Get-ADGroupMember
- Get-ADPrincipalGroupMembership
- New-ADGroup
- Remove-ADGroup
- Remove-ADGroupMember
New groups can be created with New-ADGroup. In a script, it is possible to create new groups and to adjust the group membership at the same time. The adjustment of existing groups is also controllable via scripts. To create new groups and display the syntax for doing so, the following cmdlet is available:
Get-Command New-ADGroup -Syntax
The command to create a new group is for example:
New-ADGroup "name of the group"
When you enter this command, PowerShell creates a new security group. If you also want to specify at the time of creation that the group is created in a specific organizational unit, and that it should be available globally, use the following command:
New-ADGroup "purchasing" -Path "OU=Berlin,DC=joos,dc=int" -GroupCategory Security -GroupScope Global -PassThru -Verbose
With -GroupCategory, you control the category of the group, i.e. either Security or Distribution (distribution list). You also control the group type at this point with -GroupScope. If you want the command to create a universal group, use -GroupScope Universal.
To delete it, you can use the Remove-ADGroup cmdlet:
Remove-ADGroup -Identity purchasing
Controlling Group Memberships
Creating and deleting groups is not a problem in PowerShell. Likewise, members can be added to or removed from groups in PowerShell. It is also possible to add multiple user accounts to groups with a single command. The command for this example looks like this:
Add-AdGroupMember -Identity Purchasing -Members joost, joosc
The command adds the two user accounts joost and joosc to the Purchasing group. With PowerShell, it is also possible to query the group memberships. The following command can be used for this purpose:
Get-ADGroupMember -Identity Purchasing
Adding computer accounts to groups is also possible in PowerShell. The commands for this are similar. For computer accounts, the dollar sign must be added to the end of the name. In the example above, if the computer account srv01 is to be added to the group Purchasing, use the following command:
Add-AdGroupMember -Identity Purchasing -Members srv01$
Adding users to multiple groups
Using PowerShell, it is also possible to add a user account to multiple groups. The following command can be used for this purpose:
"Purchasing1","Purchasing" | Add-ADGroupMember -Members (Read-Host -Prompt "enter user names")
After entering the user names, the command adds the entered users to the groups Purchasing1 and Purchasing2. It is also possible to use a CSV file. To do this, create a CSV file with the users column and include the user accounts as a separate row each. Then you can import the file and add groups. The command to do this looks like this:
Import-CSV C:\stemp\users.csv -Header users | ForEach-Object {Add-AdGroupMember -Identity "Purchasing" -members $_.users}
A similar task is to copy the group memberships between two groups. To copy the members of the Purchasing1 group to Purchasing2, the following command is used:
Get-ADGroupMember "Purchasing1" | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity "Purchasing2" -Members $_}
Adding groups to groups based on OU or AD attributes
A similar task is to add all user accounts of an OU to a specific group. The command in this case looks like this:
Get-ADUser -Filter * -SearchBase "OU=Users,OU=NY,OU=USA,DC=theitbros,DC=com"| ForEach-Object -process {Add-ADGroupMember -identity "NY Users" -Members $_.SamAccountName}
In addition to OU, queries based on other attributes in AD can be used to add specific users to fixed defined groups. An example of this is:
Get-ADUser -filter {(co -eq "United States")} | ForEach-Object -process {Add-ADGroupMember -identity "USAUsers" -Members $_.SamAccountName}
Removing users from groups
Removing user accounts from groups works similarly. But here, the Remove-ADGroupMember cmdlet comes into play. To remove the users added above from the Purchasing group, the following command can be used:
Remove-AdGroupMember -Identity Purchasing -Members joost, joosc
Removing multiple users from groups is also done using the same options as described above. The Remove-AdGroupMember cmdlet is used here as well.
Controlling group memberships between domains
When using multiple domains, it is also possible to add user accounts of one domain to user groups of other domains. The following commands can be used for this purpose:
$User = Get-ADUser -Identity "CN=Chew
David,OU=UserAccounts,DC=NORTHAMERICA,DC=FABRIKAM,DC=COM" -Server "northamerica.fabrikam.com"
$Group = Get-ADGroup -Identity
"CN=AccountLeads,OU=UserAccounts,DC=EUROPE,DC=FABRIKAM,DC=COM" -Server "europe.fabrikam.com"
Add-ADGroupMember -Identity $Group -Members $User -Server "europe.fabrikam.com"
The commands add the user CN=Chew David,OU=UserAccounts from the domain Northamerica to the group CN=AccountLeads,OU=UserAccounts in the domain Europe.
Webinars
We hold regular webinars and announce the topics via our newsletter. There are of course recordings of past webinars. Find out more here, above the upcoming webinar, below the past ones:
Hier geht es zu unseren Webinaren
Related links
Related posts
7 min read
New ScriptRunner Release Enhances Enterprise IT Automation with Better Security, Transparency and Efficiency
Feb 24, 2025 by Heiko Brenn
The latest ScriptRunner release enhances Enterprise IT automation with three powerful features: the new Approval Process
13 min read
Mastering Changelog Management with PowerShell
Jan 28, 2025 by Jeffery Hicks
Changelogs keep your software updates clear and organized. Learn the best practices for creating and managing them in...
14 min read
How to Use Winget and PowerShell for Efficient App Deployment
Dec 19, 2024 by Jeffery Hicks
Boost IT efficiency with Winget and PowerShell! Learn how to automate app installations, updates, and management...
About the author:
Thomas Joos is a freelance IT consultant and has been working in IT since 1992. He has published more than 90 practical reference books and writes for numerous IT publications such as c’t, PC Magazin, PC Welt, IT Administrator, Computerwoche and Heise Security.
Latest posts:
- New ScriptRunner Release Enhances Enterprise IT Automation with Better Security, Transparency and Efficiency
- Mastering Changelog Management with PowerShell
- How to Use Winget and PowerShell for Efficient App Deployment
- How to Leverage .NET in PowerShell for event-driven scripting
- Master PowerShell WMI: Automate system event monitoring effortlessly