We’re automating some server builds and need to create AD groups to manage resource access to each Server (company policy)
We use SCCM for deployment and I wanted to automate the groups (at build time)
Also, I did not want to have any dependencies on external Modules (so I want to do this without the quest tools)
I found a few documents online for creating AD groups that went without the quest tools, but found that most did not work.
You see, our key problem was that we wwanted to create Domain Local Security Groups.
In VBScript, this was pretty simple, as on the ‘put’ portion of group creation, you just told the script to apply both Group type constants, using an or statement.
The theory was that this would work in Powershell too (and many online script seemed to indicate that it would) – but the group types being created were inconsistent.
Below are the constants for the different group types:
|2||Global distribution group|
|4||Domain local distribution group|
|8||Universal distribution group|
|-2147483646||Global security group|
|-2147483644||Domain local security group|
|-2147483640||Universal security group|
So creating a Domain Local Security group is as simple as:
$groupType = -2147483644 $objOU = [ADSI]"LDAP://localhost:389/OU=YourOUName,DC=Example,DC=com" $GroupName = "MyNewGroup" $objGroup = $objOU.Create("group", "CN=" + $GroupName) $objGroup.Put("groupType", $groupType ) $objGroup.Put("sAMAccountName", $GroupName ) $objGroup.SetInfo()
Of course you can change the LDAP binding to a DC (rather than localhost) and you can change the GroupType by amending the value of $GroupType
Even better, you could wrap it into a Function, with a switch statement to take care of Group type selection.