How To Add And Remove AD Groups And Objects In Groups ... - Lepide

Home » Active Directory Add User To Group Powershell » How To Add And Remove AD Groups And Objects In Groups ... - Lepide

Maybe your like

00 Days 00 Hours 00 Min 00 Sec Lepide AI is coming... Secure your seat for the live launch event Register Now Toggle navigationLepide Software
  • Download Free Trial
  • Platform overview
  • Features
    • Active Directory
    • Entra ID
    • Microsoft 365
    • Windows File Server
    • SQL Server
    • Exchange
    • SharePoint
    • Dell EMC
    • Nasuni
    • Nutanix
    • See all platforms →
  • Free tools
        • Account Lockout ExaminerIdentify and troubleshoot account lockout issues in real time.
        • Inactive Users ReportList the currently inactive users in your Active Directory with audit information.
        • Admin Users ReportList the admin users in your Active Directory and see how they are getting access.
        • User Status ReportGet a breakdown of how many AD users you have and their status.
        • Change ReporterMonitor and report on changes to Active Directory, Group Policy and Exchange Server.
        • AD Risk AssessmentDetailed self-assessment of your current risk profile with expert recommendations.
        • Open Shares ReportList all open shares on your file servers to see if sensitive data is open to all users.
  • Request a demo
  • Pricing
  • Home
  • How-to
  • How to Add and Remove AD Groups and Members with PowerShell
How to Add and Remove AD Groups and Members with PowerShell Monitor Active Directory changes with Lepide Auditor

In this post, I’ll show you how to create and delete Active Directory groups. I’ll also show you how to add and remove user and computer objects to and from AD groups.

Managing Active Directory (AD) groups with PowerShell is easy with the Active Directory module for Windows PowerShell. In this article, I’ll show you how to use New-ADGroup, Remove-ADGroup, Add-ADGroupMember, and Remove-ADGroupMember to manage groups. Let’s start by creating a new Active Directory group.

Before carrying out the instructions below, you must be logged in to Windows with a domain user account that has permission to add and remove groups in Active Directory. You must also have the Active Directory module for Windows PowerShell installed on the device where you want to run the PowerShell cmdlets.

How to use New-ADGroup

Open a PowerShell window on your management PC and run the command below, which will create a new domain local group called Helpdesk in Active Directory.

New-ADGroup -Name Helpdesk -Description ‘User support’ -GroupScope DomainLocal

The -GroupScope parameter can be set to DomainLocal, Global, or Universal. Note that if you want to create a group name that contains a space, you must enclose the group name in quotation marks or apostrophes, much like I have with the value ‘User support’ in the command above.

There are lots more parameters that you can add to the New-ADGroup cmdlet. The command below also creates a group called Helpdesk but adds some of the additional parameters, including -Path to create the group in the Users container in the ad.contoso.com domain.

New-ADGroup -Name Helpdesk -SamAccountName ‘Helpdesk’ -GroupCategory Security -GroupScope DomainLocal -DisplayName Helpdesk -Path ‘CN=Users,DC=ad,DC=contoso,DC=com’ -Description ‘User support’

How to use Remove-ADGroup

Removing a group is easy with the Remove-ADGroup cmdlet. Note that instead of -Name it uses a parameter called -Identity. The command below removes the AD group called Helpdesk. Because group names are unique in the domain, there’s no need to specify other parameters like -Path and -SamAccountName.

Remove-ADGroup -Identity Helpdesk

How to use Add-ADGroupMember

Now that we have created a group in Active Directory, let’s look at how to add and remove objects in groups. To add users to an AD group, use the Add-ADGroupMember cmdlet. In the command below, I’m adding two users to the Helpdesk group.

Add-ADGroupMember cmdlet
Figure 1
Add-ADGroupMember -Identity Helpdesk -Members JoeBlogs,DavidSmith

How to use Remove-ADGroupMember

Removing an object from a group is simple with the Remove-ADGroupMember cmdlet:

Remove-ADGroupMember -Identity Helpdesk -Members DavidSmith

Note: If you want to add or remove computer account objects to or from a group, you can use the Add-ADGroupMember and Remove-ADGroupMember cmdlets as shown above but you must add a dollar symbol to the end of the computer account name to signify that you want to add a computer account and not a user account object. The command below adds a computer account to the Helpdesk group.

Add-ADGroupMember -Identity Helpdesk -Members privworkstation1$

Conclusion

Making sure that your Active Directory groups are properly managed is vital when it comes to mitigating the risks of privilege abuse. For a more continuous and automated way of auditing and monitoring Active Directory, start your free trial of Lepide Active Directory Auditor today.

Monitor Active Directory changes with Lepide Auditor

In This Article How to use New-ADGroup How to use Remove-ADGroup How to use Add-ADGroupMember How to use Remove-ADGroupMember Conclusion Related Articles
  • Export AD Users to CSV using PowerShell
  • List All Active Directory Users using PowerShell
  • 10 PowerShell Commands for AD Management
Related Solutions
  • Active Directory Auditing
  • Azure AD Auditing
  • Active Directory Security
  • Active Directory Cleanup
  • Password Expiry Notification
  • Restore Deleted AD Objects

Tag » Active Directory Add User To Group Powershell