Installing the remote server management tools on servers
Creating AD objects with PowerShell
To retrieve Active Directory objects such as computers, users or groups in PowerShell, Microsoft provides numerous cmdlets.
The quickest way to display a list is to use the Get-Command Get-Ad* command. To create new objects, there are also numerous cmdlets. The list is displayed by typing Get-Command New-Ad*.
A list of commands for deleting objects is displayed by PowerShell with Get-Command Remove-Ad*. Changes to Active Directory objects are made with Set cmdlets. A list is displayed with Get-Command Set-Ad*.
A list of all Active Directory management cmdlets is available with the following command:
Get-Command -Module ActiveDirectory
This allows you to quickly assemble commands and create scripts that can be used to create new objects and also customize the objects at the same time. The advantage PowerShell is, that it can also be used to customize multiple groups at the same time and that it can script tasks. There's an option for a graphical user interface.
Managing Groups in PowerShell
Managing groups in PowerShell is done primarily with the following cmdlets:
- Add-ADGroupMember
- Add-ADPrincipalGroupMembership
- Get-ADAccountAuthorizationGroup
- Get-ADGroup
- Get-ADGroupMember
- Get-ADPrincipalGroupMembership
- New-ADGroup
- Remove-ADGroup
- Remove-ADGroupMember
New groups can be created with New-ADGroup. In a script, it is possible to create new groups and to adjust the group membership at the same time. The adjustment of existing groups is also controllable via scripts. To create new groups and display the syntax for doing so, the following cmdlet is available:
Get-Command New-ADGroup -Syntax
The command to create a new group is for example:
New-ADGroup "name of the group"
When you enter this command, PowerShell creates a new security group. If you also want to specify at the time of creation that the group is created in a specific organizational unit, and that it should be available globally, use the following command:
New-ADGroup "purchasing" -Path "OU=Berlin,DC=joos,dc=int" -GroupCategory Security -GroupScope Global -PassThru -Verbose
With -GroupCategory, you control the category of the group, i.e. either Security or Distribution (distribution list). You also control the group type at this point with -GroupScope. If you want the command to create a universal group, use -GroupScope Universal.
To delete it, you can use the Remove-ADGroup cmdlet:
Remove-ADGroup -Identity purchasing
Controlling Group Memberships
Creating and deleting groups is not a problem in PowerShell. Likewise, members can be added to or removed from groups in PowerShell. It is also possible to add multiple user accounts to groups with a single command. The command for this example looks like this:
Add-AdGroupMember -Identity Purchasing -Members joost, joosc
The command adds the two user accounts joost and joosc to the Purchasing group. With PowerShell, it is also possible to query the group memberships. The following command can be used for this purpose:
Get-ADGroupMember -Identity Purchasing
Adding computer accounts to groups is also possible in PowerShell. The commands for this are similar. For computer accounts, the dollar sign must be added to the end of the name. In the example above, if the computer account srv01 is to be added to the group Purchasing, use the following command:
Add-AdGroupMember -Identity Purchasing -Members srv01$
Adding users to multiple groups
Using PowerShell, it is also possible to add a user account to multiple groups. The following command can be used for this purpose:
"Purchasing1","Purchasing" | Add-ADGroupMember -Members (Read-Host -Prompt "enter user names")
After entering the user names, the command adds the entered users to the groups Purchasing1 and Purchasing2. It is also possible to use a CSV file. To do this, create a CSV file with the users column and include the user accounts as a separate row each. Then you can import the file and add groups. The command to do this looks like this:
Import-CSV C:\stemp\users.csv -Header users | ForEach-Object {Add-AdGroupMember -Identity "Purchasing" -members $_.users}
A similar task is to copy the group memberships between two groups. To copy the members of the Purchasing1 group to Purchasing2, the following command is used:
Get-ADGroupMember "Purchasing1" | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity "Purchasing2" -Members $_}
Removing users from groups
Removing user accounts from groups works similarly. But here, the Remove-ADGroupMember cmdlet comes into play. To remove the users added above from the Purchasing group, the following command can be used:
Remove-AdGroupMember -Identity Purchasing -Members joost, joosc
Removing multiple users from groups is also done using the same options as described above. The Remove-AdGroupMember cmdlet is used here as well.
Controlling group memberships between domains
When using multiple domains, it is also possible to add user accounts of one domain to user groups of other domains. The following commands can be used for this purpose:
$User = Get-ADUser -Identity "CN=Chew
David,OU=UserAccounts,DC=NORTHAMERICA,DC=FABRIKAM,DC=COM" -Server "northamerica.fabrikam.com"
$Group = Get-ADGroup -Identity
"CN=AccountLeads,OU=UserAccounts,DC=EUROPE,DC=FABRIKAM,DC=COM" -Server "europe.fabrikam.com"
Add-ADGroupMember -Identity $Group -Members $User -Server "europe.fabrikam.com"
The commands add the user CN=Chew David,OU=UserAccounts from the domain Northamerica to the group CN=AccountLeads,OU=UserAccounts in the domain Europe.
Related Links
