Summary: Microsoft Scripting Guy, Ed Wilson, talks about creating local groups.
Microsoft Scripting Guy, Ed Wilson, is here. Creating a local group works exactly the same way as creating a local user account (see Use PowerShell to Create Local User Accounts). The process involves the following steps:
- Create a connection to the local user account database by using the [ADSI] type accelerator and WinNT.
- Use the connection to call the Create method, and specify two values for the method call: Group in the first position and the name of the group in the second position.
- Call SetInfo to write the group back to the local account database.
- Specify a value for the description.
- Call Setinfo again to write the description to the group.
Notes
- When creating a local group, you must open the Windows PowerShell console or the Windows PowerShell ISE with Admin rights
- When using WinNT, it must be capitalized exactly like this: WinNT.
At this point, there are no Windows PowerShell cmdlets from Microsoft that make it easy to create a local user account or a local group. Although it is possible to use the Desired State Configuration (DSC ) provider and the local account provider, this requires Windows PowerShell 4.0. There are a couple of modules written, such as my Local Account Management module, which expose advanced functions to make this easier. Other than that, it is old-school ADSI to the rescue.
Create the connection to the local account database
The first thing I do is use the ADSI type accelerator and the WinNT provider to make a connection to the local account database on my computer. I store the returned object in a variable named $cn as shown here:
$cn = [ADSI]"WinNT://edlt"
Call the create method to create the group
When I have my connection to the local account database, I can call the Createmethod. This method does not show up via Tab expansion or Get-Member. But it is available, and it does work. When I call the Createmethod, I supply two values. The first is the keyword Group, and the second is the name of the group. In the following example, I call the group mygroup:
$group = $cn.Create("Group","mygroup")
Call SetInfo
Now I need to call the SetInfo method to write the object back to the local account database:
PS C:\> $group.setinfo
OverloadDefinitions
-------------------
Once again, note that the SetInfo method does not appear via Tab expansion. When I call this method, I must include empty parenthesis ( () )at the end of the method call, or else the syntax appears. Here is the command I use:
$group.setinfo()
Add a description
Now I want to add a description to the group. This is optional, but I consider it a best practice from when I used to be a network administrator. I would often find groups and service accounts that were created with no description and no information as to why they were there or what they were used for. By adding a description, the group becomes self-documenting. When I see a group with a description of “test group” I can be pretty safe in deleting it. Even better is the description “safe to delete.” Here is the command:
$group.description = "Test group"
$group.SetInfo()
The complete script is shown here:
# CreateLocalGroup.ps1
$cn = [ADSI]"WinNT://edlt"
$group = $cn.Create("Group","mygroup")
$group.setinfo()
$group.description = "Test group"
$group.SetInfo()
That is all there is using Windows PowerShell to creating a local group. Obviously, I need to add members to the group, and that is what I will discuss tomorrow. I can also use standard Windows PowerShell techniques to test for things like if the group exists or to create multiple groups.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy