Create domain groups with Powershell and ADSI / LDAP provider

Tags: powershell

Dec 2 2008 8:49 PM

Handy little script to create Active Directory groups with Powershell.  The script assumes it’s run on a domain controller.  It could also be run remotely and just adjust the script with a DC name.  There are a few different examples, it took me a few tries to get a domain local security group.  I thought I would pass along.  Hopefully helps someone else.

Create a Domain global group
$machineName = “WebServer1”
$objOU = [ADSI]”LDAP://localhost:389/OU=YourOUName,DC=Example,DC=com”
$GroupName = “GROUPNAME_” + $machineName
$objGroup = $objOU.Create(“group”, “CN=” + $GroupName)
$objGroup.Put(“sAMAccountName”, $GroupName )
$objGroup.SetInfo()

Create a Domain Local group which includes the computer name (Distribution group)
$ADS_GROUP_TYPE_LOCAL_GROUP = 0x00000004
$strCategory = “computer”
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = (“(objectCategory=$strCategory)”)

$colProplist = “name”
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
{
 $objComputer = $objResult.Properties; $objComputer.name
 $machineName = $objComputer.name
 $objOU = [ADSI]”LDAP://localhost:389/OU=YourOUName,DC=Example,DC=com”
 $GroupName = “GROUPNAME_” + $machineName
 $objGroup = $objOU.Create(“group”, “CN=” + $GroupName)
 $objGroup.Put(“groupType”, $ADS_GROUP_TYPE_LOCAL_GROUP )
 $objGroup.Put(“sAMAccountName”, $GroupName )
 $objGroup.SetInfo()
}

Create a Domain Local group which includes the computer name (security group)
$ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = “0x00000004”
$ADS_GROUP_TYPE_SECURITY_ENABLED = “&H80000000”

//You would need to combine to create the domain local group that is security enabled
$groupType = $ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP -bor $ADS_GROUP_TYPE_SECURITY_ENABLED

$strCategory = “computer”
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = (“(objectCategory=$strCategory)”)

$colProplist = “name”
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
{
 $objComputer = $objResult.Properties; $objComputer.name
 $machineName = $objComputer.name
 $objOU = [ADSI]”LDAP://localhost:389/OU=YourOUName,DC=Example,DC=com”
 $GroupName = “GroupName_” + $machineName
 $objGroup = $objOU.Create(“group”, “CN=” + $GroupName)
 $objGroup.Put(“groupType”, $groupType )
 $objGroup.Put(“sAMAccountName”, $GroupName )
 $objGroup.SetInfo()
}

Create a Domain Local security group which takes a parameter
param
(
 [String] $MN
)

$ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = “0x00000004”
$ADS_GROUP_TYPE_SECURITY_ENABLED = “&H80000000”
$groupType = $ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP -bor $ADS_GROUP_TYPE_SECURITY_ENABLED

$machineName = $MN
$objOU = [ADSI]”LDAP://localhost:389/OU=YourOUName,DC=Example,DC=com”
$GroupName = “GroupName_” + $machineName
$objGroup = $objOU.Create(“group”, “CN=” + $GroupName)
$objGroup.Put(“groupType”, $groupType )
$objGroup.Put(“sAMAccountName”, $GroupName )
$objGroup.SetInfo()

Happy Powershelling!

Steve

Add a Comment