Creating a group in Active Directory using PowerShell is relatively simple when using the Active Directory module. To create a Global Distribution Group the following code can be executed:
1 | New-ADGroup -Name NewGlobalDG_1 -GroupScope Global -GroupCategory Distribution |
When creating a Domain Local Security Group the GroupScope can be changed to DomainLocal and GroupCategory can be omitted since the default is a Security Group:
1 | New-ADGroup -Name NewDLSG_1 -GroupScope DomainLocal |
Creating groups using the [adsi] provider is a three step process. First we bind to the OU in which the group should be created. Secondly we enter the name and the properties of the group that should be created. And by finally calling the SetInfo() method to create the group. The following code will create a group:
1 2 3 4 5 | $TargetOU = [adsi]'LDAP://OU=Groups,DC=jaapbrasser,DC=com' $Group = $TargetOU.Create('group','cn=System_Operators') $Group.put('grouptype',0x80000004) $Group.put('samaccountname','System_Operators') $Group.SetInfo() |
To specify the Group Type a hexadecimal value is required as specified in the following MSDN article: 2.2.12 Group Type Flags. The following table lists all the possible values:
Symbolic name | Value |
GROUP_TYPE_BUILTIN_LOCAL_GROUP | 0x00000001 |
GROUP_TYPE_ACCOUNT_GROUP | 0x00000002 |
GROUP_TYPE_RESOURCE_GROUP | 0x00000004 |
GROUP_TYPE_UNIVERSAL_GROUP | 0x00000008 |
GROUP_TYPE_APP_BASIC_GROUP | 0x00000010 |
GROUP_TYPE_APP_QUERY_GROUP | 0x00000020 |
GROUP_TYPE_SECURITY_ENABLED | 0x80000000 |
It is important to note that only four values are relevant to us when creating Active Directory accounts:
- GROUP_TYPE_ACCOUNT_GROUP – 0x00000002
- GROUP_TYPE_RESOURCE_GROUP – 0x00000004
- GROUP_TYPE_UNIVERSAL_GROUP – 0x00000008
- GROUP_TYPE_SECURITY_ENABLED – 0x80000000
To simplify the creation of groups these values can be place in a hashtable:
1 2 3 4 5 6 | $GroupType = @{ Global = 0x00000002 DomainLocal = 0x00000004 Universal = 0x00000008 Security = 0x80000000 } |
Using the values stored in the hash table it is now possible to create any of the three group scopes as either a distribution group or security group. The following example uses the -bor operator to combine the values to create a Universal Security Group:
1 2 3 4 5 | $TargetOU = [adsi]'LDAP://OU=Groups,DC=jaapbrasser,DC=com' $Group = $TargetOU.Create('group','cn=Universal_Operators') $Group.put('grouptype',($GroupType.Universal -bor $GroupType.Security)) $Group.put('samaccountname','Universal_Operators') $Group.SetInfo() |
That is all there is to it, using this methodology it is possible to create any type of Active Directory group using either the Active Directory module or the [adsi] type accelerator. Below I have included some links in regards to this topic.
Creating Active Directory Groups |
New-ADGroup |
Understanding Groups |
2.2.12 Group Type Flags |
Pingback: Distribution group membership | Jaap Brasser's Blog
Just a heads-up – in your $GroupType array, you have the hex for DomainLocal and Global around the wrong way.
GROUP_TYPE_RESOURCE_GROUP is the DomainLocal, and GROUP_TYPE_ACCOUNT_GROUP is Global.
But this helped me figure out a way of creating a group using DirectoryServices.DirectoryEntry anyway, so thanks. (I couldn’t figure out how to pass credentials using the plain ADSI bind without spawning a new process, thus the other method.)
Hello Trix,
Thanks for letting me know, I indeed switched up the binary values there. I appreciate the feedback, keep up the great work and feel free to share your script. It is always nice to see how others are using PowerShell.
I have updated my script and the blog post, thanks again!
Regards,
Jaap Brasser