Monthly Archive


Creating AD security groups

Continuing my AD excursion for a while. I saw a forum post about creating AD groups and came up with this function

function new-securitygroup {            
param (            
$rootdse = [ADSI]""            
$adpath = "$ou,$($rootdse.distinguishedName)"            
Write-Debug $adpath            
# set constants for group types            
$globalgroup = 0x00000002            
$domainlocalgroup = 0x00000004            
$security = 0x80000000            
$universalgroup = 0x00000008            
$targetou = [ADSI]"LDAP://$adpath"            
switch ($psCmdlet.ParameterSetName) {            
 "DL" {            
        $grouptype1 = $security -bor $universalgroup            
        $grouptype2 = $security -bor $domainlocalgroup}            
 "G"  {$grouptype = $security -bor $globalgroup }            
 "U"  {$grouptype = $security -bor $universalgroup }            
 default {Write-Host "Error!!! Should not be here" }            
$newgroup = $targetou.Create("Group", "cn=$name")            
if ($domainlocal) {            
  $newgroup.GroupType = $grouptype1            
  $newgroup.GroupType = $grouptype2            
else {            
  $newgroup.GroupType = $grouptype            
$newgroup.samAccountname = $name            


Parameter sets are used to keep the group types mutually exclusive

Note how we have to change the group type to universal before changing to domain local

Examples of use are as follows

new-securitygroup -name test-g -ou "ou=All Groups" -global

new-securitygroup -name test-u -ou "ou=All Groups" -universal

new-securitygroup -name test-dl -ou "ou=All Groups" –domainlocal


Trying to change the group type and/or the samaccountname as you create the group will generate an error

2 Responses to Creating AD security groups

Leave a Reply