In this post, I’ll show you how to use Set-ADGroup
to modify Active Directory group attributes using PowerShell script.
To use Set-ADGroup
cmdlet requires ActiveDirectory add-on module to be installed.
Set-ADGroup cmdlet in PowerShell modifies active directory group attributes. You can modify commonly used property values using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified using the Add, Remove, Clear and Replace parameters.
Set-ADGroup Cmdlet
Set-ADGroup
cmdlet syntax is given below
Set-ADGroup [-WhatIf] [-Confirm] [-Add <Hashtable>] [-AuthType <ADAuthType>] [-Clear <String[]>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName <String>] [-GroupCategory <ADGroupCategory>] [-GroupScope <ADGroupScope>] [-HomePage <String>] [-Identity] <ADGroup> [-ManagedBy <ADPrincipal>] [-Partition <String>] [-PassThru] [-Remove <Hashtable>] [-Replace <Hashtable>] [-SamAccountName <String>] [-Server <String>] [<CommonParameters>]
Identity parameters specify the Active Directory Group to modify. You can identify a group by its distinguished name, security identifier, GUID.
PowerShell Set-ADGroup
works best if combined with Get-ADGroup
. You can read group information that you need to modify using Get-ADGroup
and use pipe ( ||) to Set-ADGroup to modify the attributes of Active Directory groups.
Set a Property for Groups using Identity
Let’s consider a scenario, where you want to update group description to a group identified using Identity parameter in active directory. Use below PowerShell Set-AdGroup to update group description using description property.
Set-ADGroup -Server localhost:60000 -Identity "CN=ShellAccessControl,DC=ShellNC" -Description "My Access Group" -Passthru
In the above PowerShell Set-AdGroup command identify a group by its distinguished group name and use the Description property to set group description.
Using set adgroup to modify description for filtered groups
Let’s consider a scenario, where you want to update group description for groups that have a name starting with Access, use below PowerShell script to update group description using Set-ADGroup
Get-ADGroup -Filter 'name -like "Access*"' | Set-ADGroup -Description "Access Group"
Above PowerShell Set-AdGroup command filters group have a name start with Access using Get-ADGroup
and use pipeline (||) operator to modify description of all groups using Set-ADGroup
.
Cool Tip: Do you know the equivalent of cat command in Windows!
Modify Property for a Group using Set-AdGroup
Set-ADGroup -Server localhost:60000 -Identity "CN=AccessControl,DC=AppNC" -Description "Access Group" -Passthru
Above PowerShell Set-AdGroup example, it modifies the Description of group named AccessControl to Access Group using SetAdGroup identity parameter
Sets a property by Specifying an instance
$Group = Get-ADGroup -Server localhost:60000 -Identity N=AccessControl,DC=AppNC" $Group.Description = "Access Group" Set-ADGroup -Instance $Group -Passthru
Above PowerShell script, sets the Description property on the AccessControl group by using Set-AdGroup instance parameter. Set-AdGroup -Instance parameter can only update group object which has been retrieved by Get-AdGroup cmdlet.
Cool Tip: Get list of users ad group in PowerShell!
Rename Active Directory group using Set-AdGroup
It’s very easy to rename active directory groups using get-adgroup and set-adgroup cmdlets. rename-adobject and set-adgroup two commands required for rename.
get-adgroup -identity “GroupName” | %{set-adgroup -samaccountname “ShortName”; $_ | rename-adobject -newname “ShortName”}
In the above PowerShell set adgroup example, get-adgroup identify group and using set-adgroup cmdlet it renames active directory group.
Cool Tip: Learn how to get aduser using userprincipalname!
Add Email Address to AD Security group using Set-AdGroup -Replace
Let’s assume, CSV file having two-column, the first column is groupname, and the second column name is an email address.
To set an email address to the ad security group, you can use mail property as given in the below code
Import-CSV -path 'C:\PowerShell\AD-GroupScript\AddEmailToGroups.csv' | ForEach-Object {Set-ADGroup -Identity $_.group -Replace @{mail = "$($_.mail)"}}
In the above Set-ADGroup example, we first import CSV file having group name and email address.
Later we use Foreach
loop to iterate over each group and use Set-ADGroup -Replace parameter to access mail property and assign it to the respective group.
Cool Tip: Get aduser attributes from CSV in PowerShell!
Conclusion
I hope you may have enjoyed the above article to modify Active Directory group property using Set-ADGroup
cmdlet in PowerShell. Set-ADGroup
works best with Get-ADGroup
in combination to read group information and use pipe (||) operator to modify property value.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on ShellGeek home page.
Do you know how to get find all users accounts that have disabled in specific OU using PowerShell Search-AdAccount Read here !