Create domain groups with Powershell and ADSI / LDAP provider

Handy little script to create Active Directory groups with Powershell.  The script assumes it’s run on a domain controller.  It could also be run remotely and just adjust the script with a DC name.  There are a few different examples, it took me a few tries to get a domain local security group.  I thought I would pass along.  Hopefully helps someone else.


Create a Domain global group
$machineName = “WebServer1”
$objOU = [ADSI]”LDAP://localhost:389/OU=YourOUName,DC=Example,DC=com
$GroupName = “GROUPNAME_” + $machineName
$objGroup = $objOU.Create(“group”, “CN=” + $GroupName)
$objGroup.Put(“sAMAccountName”, $GroupName )
$objGroup.SetInfo()


Create a Domain Local group which includes the computer name (Distribution group)
$ADS_GROUP_TYPE_LOCAL_GROUP = 0x00000004
$strCategory = “computer”
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = (“(objectCategory=$strCategory)”)


$colProplist = “name”
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}


$colResults = $objSearcher.FindAll()


foreach ($objResult in $colResults)
{
 $objComputer = $objResult.Properties; $objComputer.name
 $machineName = $objComputer.name
 $objOU = [ADSI]”LDAP://localhost:389/OU=YourOUName,DC=Example,DC=com
 $GroupName = “GROUPNAME_” + $machineName
 $objGroup = $objOU.Create(“group”, “CN=” + $GroupName)
 $objGroup.Put(“groupType”, $ADS_GROUP_TYPE_LOCAL_GROUP )
 $objGroup.Put(“sAMAccountName”, $GroupName )
 $objGroup.SetInfo()
}


Create a Domain Local group which includes the computer name (security group)
$ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = “0x00000004”
$ADS_GROUP_TYPE_SECURITY_ENABLED = “&H80000000”

//You would need to combine to create the domain local group that is security enabled
$groupType = $ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP -bor $ADS_GROUP_TYPE_SECURITY_ENABLED


$strCategory = “computer”
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = (“(objectCategory=$strCategory)”)


$colProplist = “name”
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}


$colResults = $objSearcher.FindAll()


foreach ($objResult in $colResults)
{
 $objComputer = $objResult.Properties; $objComputer.name
 $machineName = $objComputer.name
 $objOU = [ADSI]”LDAP://localhost:389/OU=YourOUName,DC=Example,DC=com
 $GroupName = “GroupName_” + $machineName
 $objGroup = $objOU.Create(“group”, “CN=” + $GroupName)
 $objGroup.Put(“groupType”, $groupType )
 $objGroup.Put(“sAMAccountName”, $GroupName )
 $objGroup.SetInfo()
}


Create a Domain Local security group which takes a parameter
param
(
 [String] $MN
)


$ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = “0x00000004”
$ADS_GROUP_TYPE_SECURITY_ENABLED = “&H80000000”
$groupType = $ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP -bor $ADS_GROUP_TYPE_SECURITY_ENABLED


$machineName = $MN
$objOU = [ADSI]”LDAP://localhost:389/OU=YourOUName,DC=Example,DC=com
$GroupName = “GroupName_” + $machineName
$objGroup = $objOU.Create(“group”, “CN=” + $GroupName)
$objGroup.Put(“groupType”, $groupType )
$objGroup.Put(“sAMAccountName”, $GroupName )
$objGroup.SetInfo()


Happy Powershelling!


Steve

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s