Create Active Directory Security Groups with PowerShell

by Robert Allen

How to create active directory groups with powershell

In this guide, you will learn you how to create single and bulk Active Directory security groups with PowerShell. I will provide examples and a script for creating bulk groups from a CSV file.

In this article

Create AD Group with PowerShell

The New-ADGroup cmdelet is the command used to create Active Directory groups.

I won’t cover all of the details of this cmdlet instead, I’ll jump right into some examples. You can reference the Microsoft document New-ADGroup for the complete syntax.

Name and GroupScope are the two required parameters, everything is optional.

Example 1: Create a single AD group

New-ADGroup -Name Marketing_local -GroupCategory Security

This command creates a group named “Marketing_local the group category is security.

Example 2: Create a single group with a description

New-ADGroup -Name Account_Printers -GroupScope DomainLocal -Description "Group for permissions to accounting printers"

This example created a group named “Account_Printers” and sets the description.

Example 3: Create a single group and set Managed By

New-ADGroup -Name GIS_Images -GroupScope DomainLocal -ManagedBy robert.allen

In this example, I create a group named GIS_Images and set the managed by to the SAM account name (sAMAccountName) of robert.allen.

Example 4: Create a single group and add it to an organizational unit (OU)

New-ADGroup -Name Marketing_local -GroupCategory Security -Path "OU=ADPRO Groups,DC=ad,DC=activedirectorypro,DC=com"

This example creates the group “Marketing_local” and puts it in the OU named ADPRO Groups.

Now let’s look at creating AD groups in bulk.

Create AD Groups from CSV

The easiest way to bulk create AD groups is by using a CSV file. The CSV file will have all of the group details, we then use PowerShell to import the CSV and create the groups.

Step 1: CSV file configuration

Create a CSV file and add these columns

  • name
  • path
  • scope
  • category
  • description

Then fill in each column with the group details. Here is a screenshot of my CSV. You can add additional parameters to the CSV you will just need to update the script below to include them.

Save the as a CSV (comma delimited) (.csv) file type. You can name the file name whatever you want.

Step 2: The Bulk Import Script

Here is the PowerShell script for bulk creating groups from the CSV.

You can copy and paste this into PowerShell. The only thing you need to change is the location of the CSV. 

Import-Module ActiveDirectory

#Import CSV
$groups = Import-Csv ‘c:\it\scripts\groups.csv‘


# Loop through the CSV
    foreach ($group in $groups) {

    $groupProps = @{

      Name          = $group.name
      Path          = $group.path
      GroupScope    = $group.scope
      GroupCategory = $group.category
      Description   = $group.description

      }#end groupProps

    New-ADGroup @groupProps
    
} #end foreach loop

Make sure you change this line to the path of the CSV file you created in step 1. 

$groups = Import-Csv ‘c:\it\scripts\groups.csv‘

Here is a screenshot of the script in PowerShell ISE.

Easily Bulk Create AD Groups with the AD Pro Toolkit

An alternative to PowerShell is to use the AD Pro Toolkit.

With this tool, you can easily perform the following actions:

  • Import Groups
  • Add Users to Groups
  • Remove Users from Groups
  • Bulk update group attributes
  • Create Group Reports

Step 1. Click on “Group Management” and then “Create Groups”.

Step 2. Download the included CSV template

Step 3. Fill out the template with your group details

Step 4. Select your template and click run.

Download AD Pro Toolkit and see how easy it is to create Active Directory groups.

Feel free to comment below if you have any questions.

Related Articles

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

35 thoughts on “Create Active Directory Security Groups with PowerShell”

  1. For everyone who can’t get this to work with the delimiter part

    Add the following cmdlet after your import-csv part, -Delimiter “;”

    So line 4 for the Powershell script should look like this;
    $groups = Import-Csv “C:\Temp\Add Groups\addgroups.csv” -Delimiter “;”

    Reply

      • thanks. I’m able to do this successfully via the one-liner. How could the existing script be modified to reference a list of existing groups from a csv to do this in bulk?

        Reply

  3. Found the solution to null value in GroupCategory. It has to do with the delimiter.
    add -delimiter “;” or whatever default delimiter your area has at the end of the import-csv line.

    Reply

      • New-ADGroup : Cannot validate argument on parameter ‘GroupCategory’. The argument is null. Provide a valid value for the argument, and then try running the
        command again.
        At line:20 char:17
        + New-ADGroup @groupProps
        + ~~~~~~~~~~~
        + CategoryInfo : InvalidData: (:) [New-ADGroup], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.NewADGroup

        Reply

  4. Hey Robert,
    when I run the script I get this too:
    New-ADGroup : Cannot validate argument on parameter ‘GroupCategory’. The argument is null. Provide a valid value for the argument, and then try running the command again.
    At line:20 char:17

    here’s what im running:

    Import-Module ActiveDirectory

    #Import CSV
    $groups = Import-Csv ‘\\server\path\to\folder\myfile.csv’

    # Loop through the CSV
    foreach ($group in $groups) {

    $groupProps = @{

    Name = $group.name
    Path = $group.path
    GroupScope = $group.scope
    GroupCategory = $group.category
    Description = $group.description

    }#end groupProps

    New-ADGroup @groupProps

    } #end foreach loop

    Columns I created:
    name path scope category description

    contents in scope and category is: DomainLocal and Security.

    Checked get-command listimported as suggested above and New-ADGroup is present.
    Hope you can help, I have 248 groups to create 😀

    Reply

  5. I have bulk groups to be created with attributes like Description and ManagedBy, if there is blank value for MangedBy or Description it throws below error

    New-ADGroup : Identity info provided in the extended attribute: ‘ManagedBy’ could not be resolved. Reason: ‘Cannot find an object with identity: ”
    under: ‘DC=example,DC=xyz,DC=com’.’.
    At line:21 char:5

    Reply

  7. didn’t work for me. I used the exact headings on the columns and the exact script. Can somebody post a solution that works please

    Reply

  8. Not sure why my description is not being updated on above script.
    Am trying to add two members to the grps being created in above script.
    tried
    foreach ($groups in $groupProps $group.name)
    Add-ADGroupMember -Member user01

    Reply

  9. Is there a way to add a managed by field to example #5? Bonus points if there’s also a way to check the “manager can update membership list “ box in the same script.

    Reply

    • Yup. Just add ManagedBy to the groupProps section in the script and a matching header in the csv. I don’t see an option for “manager can update”.

      Reply

  10. New-ADGroup : Cannot validate argument on parameter ‘GroupCategory’. The argument is null. Provide a valid value for the argument, and then try running the
    command again.

    I keep getting this, adapted the CSV to include the “”. The Category Column has Security as value but this keeps showing up.

    Reply

  12. I get this error for #Exemple 5: Please could you help?

    New-ADGroup : Cannot validate argument on parameter ‘GroupCategory’. The argument is null. Provide a valid value for the argument, and
    then try running the command again.
    At line:20 char:17
    + New-ADGroup @groupProps
    + ~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [New-ADGroup], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.NewADGroup

    Reply

  13. Much appreciated for sharing this script. Erik was right, the .csv requires some fiddling. But overall, this works like a charm. Saved me tons of time!

    Reply

  14. Hi,

    Example #4 has code errors.
    The CN= needs to be dropped.
    The “T” at the end of the code needs to be removed.

    Reply

  15. New-ADGroup : Cannot validate argument on parameter ‘GroupCategory’. The argument is null. Supply a non-null argument and try the command
    again.

    Reply

      • Yes, the New-ADGroup cmdlet does show up.
        However the script still responds in the same manner. Using the example 4 as a reference I am able to create a new group even whith the addition of the GroupScope parameter in one go, but when all the parameters are filled using this script it does not work.
        I would like this to work, need to migrate quite a few groups over and this would be helpful

        Reply

        • After fiddling with the input CSV file I found the solution; the CSV file is misread and should be like this:
          name,path,scope,category,description
          Groupname,”OU=groups,DC=Domain,DC=Local”,Global,Security,”Discription for the group”
          When saved as a UTF-8 CSV file the script works fine.

          Reply

Leave a Comment