Managing AD Groups with Get-ADGroup and More

Published:22 August 2019 - 6 min. read

Stuart Squibb Image

Stuart Squibb

Read more tutorials by Stuart Squibb!

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Using the ActiveDirectory PowerShell module, you can query AD groups with Get-AdGroup, add, update, and remove groups and group members. In this blog post, you’re going to learn a little about the Active Directory group PowerShell cmdlets with a ton of examples for reference.

Not a reader? Watch this related video tutorial!
Not seeing the video? Make sure your ad blocker is disabled.

Active Directory Group Cmdlets

Once you install the ActiveDirectory PowerShell module, you’ll find a few cmdlets available to manage groups.

Cmdlet Name Description
Add-ADGroupMember Used to add members to an AD group.
Add-ADPrincipalGroupMembership Used to add an AD principal to AD groups.
Get-ADGroup Used to return a group or groups from AD.
Get-ADGroupMember Used to return the members of an AD group.
Get-ADPrincipalGroupMembership Used to get the groups an AD principal is a member of.
New-ADGroup Used to create a new AD group.
Remove-ADGroup Used to delete an AD group.
Remove-ADGroupMember Used to remove members from an AD group.
Remove-ADPrincipalGroupMembership Used to remove an AD principal from AD groups.
Set-ADGroup Used to set the properties of an AD group.

Using these cmdlets and a little PowerShell kung-fu, you can manage every aspect of the Active Directory group with PowerShell.

Find the members of a group with Get-ADGroupMember

The Get-AdGroupMember cmdlet returns all members in a group.

PS51> Get-ADGroupMember -Identity <identity string or object>

Alternatively, you could reference the memberOf property on a particular user using the Get-Aduser cmdlet. For a refresher on how to build filters, check out Learning Active Directory Directory and LDAP Filters in PowerShell.

Two examples are below.

PS51> Get-ADUser -Filter 'memberOf -eq ""'
PS51> Get-ADUser -LDAPFilter '(memberOf=)'

This returns a collection of ADPrincipal objects.

Export the members of a group to a CSV file

This exports each users’ first name, surname and email address. Pipe the results fromGet-ADGroupMember to Get-ADUser because these are ADPrincipal objects that do not have all of the properties that ADUser objects have.

PS51> $GroupMembers = Get-ADGroupMember -Identity 'Professional Services Department'
PS51> $GroupMembers | Get-ADUser -Properties GivenName,Surname,Mail | Select-Object GivenName,Surname,Mail | Export-CSV -Path GroupMembers.CSV -NoTypeInformation

Notice the use of the NoTypeInformation parameter of Export-CSV to ensure that the CSV file is compatible with other applications.

Find groups with no members with Get-ADGroup

Use Get-AdGroup to find groups using filters. Two examples below.

PS51> Get-ADGroup -Filter "Members -notlike '*'"
PS51> Get-ADGroup -LDAPFilter "(!(member=*))"

Create a new security group with New-ADGroup

You create a new security group using the New-AdGroup command.

PS51> New-ADGroup -Name '<group name>' -GroupScope <scope of group> -Path '<path of the OU tht will host the new group>'

If no Path parameter is supplied, the new group will be created in the Users container. The group scope must be either DomainLocal, Global or Universal.

Create a new distribution group with New-ADGroup

Use New-AdGroup again to create a distribution group. This time, choose a GroupCategory of Distribution.

PS51> New-ADGroup -Name '<group name>' -GroupScope <scope of group>  -GroupCategory Distribution -Path '<path of the OU tht will host the new group>'

Add members to a group with Add-ADGroupMember

Adding users to an Active Directory group with PowerShell can be done using the Add-AdGroupMember cmdlet or the Add-ADPrincipalGroupMembership cmdlet.

This command specifies the group as the Identity.

PS51> Add-ADGroupMember -Identity <identity string or object> -Members <identity string(s) or ADPrincipal(s)>

This command specifies the AD principal as the Identity.

PS51> Add-ADPrincipalGroupMembership -Identity <identity string or object> -MemberOf <identity string(s) or ADGroup(s)>

Write to the Notes property of a group with Set-AdGroup

The field labeled Notes in ADUC is represented by the Info property returned from Get-AdGroup.

First, find the group to change, set the Info property and then use Set-AdGroup to commit the change to AD.

PS51> $group = Get-ADGroup -Identity <identity string or object>
PS51> $group.Info = 'Important notes on this group'
PS51> Set-ADGroup $group

Remove group members with Remove-ADGroupMember

Like all PowerShell cmdlets, you can use the Confirm parameter to be prompted before a change is made. This behavior applies to the Remove-AdGroupMember and Remove-ADPrincipalGroupMembership cmdlets too.

Below you can remove group members with no confirmation.

PS51> Remove-ADGroupMember -Identity <identity string or object> -Members <identity string(s) or ADPrincipal(s)>
PS51> Remove-ADPrincipalGroupMembership -Identity <identity string or object> -MemberOf <identity string(s) or ADGroup(s)>

Or you can choose to remove group members with confirmation using the Confirm parameter.

PS51> Remove-ADGroupMember -Identity <identity string or object> -Members <identity string(s) or ADPrincipal(s)> -Confirm
PS51> Remove-ADPrincipalGroupMembership -Identity <identity string or object> -MemberOf <identity string(s) or ADGroup(s)> -Confirm

Delete a group with Remove-ADGroup

Delete a group with no confirmation and with confirmation.

PS51> Remove-ADGroup -Identity <identity string or object>
PS51> Remove-ADGroup -Identity <identity string or object> -Confirm

Rename a group with Rename-ADObject

You can rename a group via a one-liner using Rename-ADObject.

PS51> Rename-ADObject -Identity <identity string or object> -NewName '<new name>'

Get the number of groups with Get-ADGroup

Do you need to find the total numbers of groups returned via Get-AdGroup? Use the Count property.

PS51> (Get-ADGroup -Filter '*').Count

Find groups with a manager with Get-ADGroup

Filter all groups that have a manager assigned to them with Get-AdGroup and a well-crafted LDAP filter.

PS51> Get-ADGroup -LDAPFilter '(managedby=*)'

There is no equivalent PowerShell filter for this.

Find groups managed by a specific user with Get-ADGroup

Up your filter skills and find all groups managed by a specific user using either a PowerShell filter or LDAP filter.

PS51> Get-ADGroup -Filter 'managedby -eq "<distinguished name of user>"'
PS51> Get-ADGroup -LDAPFilter '(managedby=<distinguished name of user>)'

Set the group Manager with Set-ADGroup

The Managed By tab in ADUC for groups allows you to designate someone who is responsible for the membership of the group. This doesn’t automatically mean that the manager can alter the group membership of the group. For that to be possible, the security permissions need to be changed on the Member property for the group in question.

The act of ticking the Manager can update membership list box for a group in Active Directory Users and Computers (ADUC) changes the permissions to allow this.

Active Directory Users and Computers - Managed by tab
Managed By tab in Active Directory Users and Computers

Use Set-ADGroup to set the ManagedBy attribute:

PS51> Set-ADGroup -ManagedBy '<distinguished name, GUID, SID or SAM Account name of manager>'

Updating the Access Control list takes a few more steps. The following code snippet grants the user Kristin Diaz the ability to manage the membership of the group. bf9679c0-0de6-11d0-a285-00aa003049e2 is the GUID for the Member property of the group.

If Kristin is also set as the manager of the group then the tick box will be ticked. If not, Kristin will still be able to manage the membership of the group but will not be shown in ADUC as the manager.

Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.

$group = Get-ADGroup -Identity 'Professional Services Department'
$manager = Get-ADUser -Identity 'Kristin.Diaz'
$NTPrincipal = New-Object System.Security.Principal.NTAccount $manager.samAccountName
$objectGUID = New-Object GUID 'bf9679c0-0de6-11d0-a285-00aa003049e2'
$acl = Get-ACL "AD:$($group.distinguishedName)"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $NTPrincipal,'WriteProperty','Allow',$objectGUID
$acl.AddAccessRule($ace)
Set-ACL -AclObject $acl -Path "AD:$($group.distinguishedName)"

Find all security groups

List all security groups in Active Directory with PowerShell by limiting your search query to only security groups with these two examples. What’s that LDAP filter, you ask? Learn all about LDAP filters.

PS51> Get-ADGroup -Filter 'groupcategory -eq "Security"'
PS51> Get-ADGroup -LDAPFilter '(groupType:1.2.840.113556.1.4.803:=2147483648)'

Find Distribution groups

Use PowerShell to list Active Directory Groups (distribution) which excludes security groups using these two examples.

PS51> Get-ADGroup -Filter 'groupcategory -eq "Distribution"'
PS51> Get-ADGroup -LDAPFilter '(!(groupType:1.2.840.113556.1.4.803:=2147483648))'

Find group membership for a user with Get-ADPrincipalGroupMembership

PS51> Get-ADPrincipalGroupMembership -Identity <identity string or object>

Note that this command requires access to a global catalog.

Find groups in an OU, not including any sub-OUs

Get granular using the SearchBase parameter to limit your search to a single OU using these two examples.

PS51> Get-ADGroup -Filter '*' -SearchBase '<distinguished name of OU>' -SearchScope OneLevel
PS51> Get-ADGroup -LDAPFilter '(CN=*)' -SearchBase '<distinguished name of OU>' -SearchScope OneLevel

Find groups in an OU, including any sub-OUs

Do you need to find all groups in child OUs? Use a SearchScope of SubTree.

PS51> Get-ADGroup -Filter '*' -SearchBase '<distinguished name of OU>' -SearchScope SubTree
PS51> Get-ADGroup -LDAPFilter '(CN=*)' -SearchBase '<distinguished name of OU>' -SearchScope SubTree

Summary

That concludes our example-driven demo of managing AD groups with PowerShell. Grab a few of these, try them out in your organization and start automating!

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!