Creating AD security groups

Continuing my AD excursion for a while. I saw a forum post about creating AD groups and came up with this function

function new-securitygroup {            
[CmdletBinding()]            
param (            
 [string]$name,            
 [string]$ou,            
             
 [parameter(ParameterSetName="U")]            
 [switch]$universal,            
             
 [parameter(ParameterSetName="G")]            
 [switch]$global,            
             
 [parameter(ParameterSetName="DL")]            
 [switch]$domainlocal            
)            
$rootdse = [ADSI]""            
$adpath = "$ou,$($rootdse.distinguishedName)"            
Write-Debug $adpath            
            
# set constants for group types            
$globalgroup = 0x00000002            
$domainlocalgroup = 0x00000004            
$security = 0x80000000            
$universalgroup = 0x00000008            
            
$targetou = [ADSI]"LDAP://$adpath"            
            
switch ($psCmdlet.ParameterSetName) {            
 "DL" {            
        $grouptype1 = $security -bor $universalgroup            
        $grouptype2 = $security -bor $domainlocalgroup}            
 "G"  {$grouptype = $security -bor $globalgroup }            
 "U"  {$grouptype = $security -bor $universalgroup }            
 default {Write-Host "Error!!! Should not be here" }            
}            
            
$newgroup = $targetou.Create("Group", "cn=$name")            
$newgroup.SetInfo()            
            
if ($domainlocal) {            
  $newgroup.GroupType = $grouptype1            
  $newgroup.SetInfo()            
              
  $newgroup.GroupType = $grouptype2            
  $newgroup.SetInfo()            
}            
else {            
  $newgroup.GroupType = $grouptype            
  $newgroup.SetInfo()            
}              
$newgroup.samAccountname = $name            
$newgroup.SetInfo()            
}

 

Parameter sets are used to keep the group types mutually exclusive

Note how we have to change the group type to universal before changing to domain local

Examples of use are as follows

new-securitygroup -name test-g -ou "ou=All Groups" -global

new-securitygroup -name test-u -ou "ou=All Groups" -universal

new-securitygroup -name test-dl -ou "ou=All Groups" –domainlocal

 

Trying to change the group type and/or the samaccountname as you create the group will generate an error

Published Tue, Jun 28 2011 20:02 by RichardSiddaway
Filed under: ,

Comments

# Setting Security permissions on an AD group

We saw how to create an AD security group here msmvps.com/.../06

Wednesday, June 29, 2011 2:41 PM by Richard Siddaway's Blog

# Setting Security permissions on an AD group

We saw how to create an AD security group here msmvps.com/.../06

Wednesday, June 29, 2011 3:04 PM by Richard Siddaway's Blog

# Creating AD security groups

Hello Richard,

I like your above post.

I want to know how i can create multiple universal security groups by giving excel file as input.

It would be very helpful if you could provide me the script for the same.

Thank You,

Sachin

Sunday, February 19, 2012 4:57 AM by sachin

# re: Creating AD security groups

Check out theses posts

msmvps.com/.../bulk-create-groups-script.aspx

msmvps.com/.../bulk-create-groups-provider.aspx

msmvps.com/.../bulk-group-creation-quest-cmdlets.aspx

msmvps.com/.../bulk-group-creation-microsoft-cmdlets.aspx

Sunday, February 19, 2012 1:24 PM by RichardSiddaway

Leave a Comment

(required) 
(required) 
(optional)
(required) 
If you can't read this number refresh your screen
Enter the numbers above: