Text

Managing AD Groups with PowerShell

As a Windows system administrator, managing Active Directory (AD) groups is probably something you do every day. While you could use the Active Directory Users and Computers (ADUC) MMC snap-in, what happens when you need to manage groups across multiple domains or automate group management tasks? That’s where PowerShell comes in handy.

Active Directory Powershell

In this hands-on tutorial, you’re going to learn how to use PowerShell to manage AD groups like a pro. You’ll learn how to query groups, create new ones, and modify existing groups using practical real-world examples.

Prerequisites

If you’d like to follow along with this tutorial, be sure you have the following prerequisites in place:

  • A Windows computer (Windows 10/11 or Windows Server) joined to an Active Directory domain
  • The PowerShell Active Directory module installed
  • A user account with permissions to manage AD groups

Querying AD Groups with PowerShell

Let’s start with a common scenario – you’re the new IT admin at a company and need to audit the AD group structure. Your manager wants to know what groups exist across different departments. The Get-ADGroup cmdlet will be your best friend here.

Finding Groups by Name

Perhaps the simplest task is finding groups containing specific text in their name. For example, to find all groups with “Sales” in the name:

Get-ADGroup -Filter 'Name -like "Sales"'
Code language: JavaScript (javascript)

The asterisks (*) are wildcards, matching any characters before or after “Sales”. This command will return all groups that have “Sales” anywhere in their name.

Filtering by Group Type

Maybe you only want to see security groups (not distribution groups). You can add additional filter criteria using the -and operator:

Get-ADGroup -Filter 'Name -like "Sales" -and GroupCategory -eq "Security"'
Code language: JavaScript (javascript)

Now you’ll only see security groups that have “Sales” in their name.

Searching in Specific OUs

Need to find groups in a particular organizational unit (OU)? Use the SearchBase parameter:

Get-ADGroup -Filter * -SearchBase 'OU=Engineering,DC=company,DC=local'
Code language: JavaScript (javascript)

This command finds all groups within the Engineering OU and its child OUs.

Finding Recently Created Groups

Want to see which groups were created after a certain date? Filter on the whenCreated attribute:

Get-ADGroup -Filter 'whenCreated -ge "2023-01-01"'
Code language: JavaScript (javascript)

This returns all groups created on or after January 1st, 2023.

Creating New AD Groups

Now let’s look at creating new groups. Maybe your company is restructuring and you need to create groups for new departments.

Creating a Security Group

Here’s how to create a new security group for IT support staff:

New-ADGroup -Name "IT_Support" `
            -GroupScope Global `
            -GroupCategory Security `
            -Description "Group for IT support staff" `
            -Path "OU=IT,DC=company,DC=local"
Code language: PHP (php)

This creates a global security group called “IT_Support” in the IT organizational unit.

Creating a Distribution Group

Need an email distribution group? Just change a few parameters:

New-ADGroup -Name "Marketing_News" `
            -GroupScope DomainLocal `
            -GroupCategory Distribution `
            -Description "Group for receiving marketing updates" `
            -Path "OU=Marketing,DC=company,DC=local"
Code language: JavaScript (javascript)

Creating Multiple Groups at Once

Got multiple similar groups to create? Use a loop:

$regions = "North", "South", "East", "West"
foreach ($region in $regions) {
    New-ADGroup -Name "Sales_$region" `
                -GroupScope Global `
                -GroupCategory Security `
                -Description "Sales team for $region region" `
                -Path "OU=Sales,DC=company,DC=local"
}
Code language: PHP (php)

Modifying Existing Groups

Things change in organizations. Groups need to be renamed, descriptions updated, and scopes modified. Let’s see how to handle these tasks.

Renaming Groups

To rename a group, you’ll need to change both its name and samAccountName:

# First rename the group object
Get-ADGroup EngineeringTeam | Rename-ADObject -NewName TechTeam

# Then update the samAccountName
Get-ADGroup EngineeringTeam | Set-ADGroup -SamAccountName TechTeam
Code language: PHP (php)

Updating Group Descriptions

Need to update a group’s description? One line with Set-ADGroup:

Get-ADGroup TechTeam | Set-ADGroup -Description 'Technical Team for Engineering Projects'
Code language: JavaScript (javascript)

Changing Group Scope

If you need to change a group’s scope (like from Global to Universal):

Get-ADGroup TechTeam | Set-ADGroup -GroupScope Universal
Code language: JavaScript (javascript)

Pro Tips

Here are some tips to make your AD group management even more efficient:

  1. Always use `-Filter` instead of `-Identity` when querying multiple groups – it’s more efficient
  2. Remember that group scope can’t be changed if the group has members – remove members first
  3. Use the `-WhatIf` parameter when making changes to preview what would happen
  4. Always test your group changes in a non-production environment first
Frank Robinson

Frank Robinson

Systems Engineer at KnuckleDust Chronicles & FMR Digital LLC

I’m Frank Robinson, a systems engineer, home lab addict, AI music nerd, mover of heavy ass weight and professional overbuilder of ideas.

Find Frank Robinson elsewhere

Related Scripts