Use PowerShell to Create Local Groups


Summary: Microsoft Scripting Guy, Ed Wilson, talks about creating local groups.

Microsoft Scripting Guy, Ed Wilson, is here. Creating a local group works exactly the same way as creating a local user account (see Use PowerShell to Create Local User Accounts). The process involves the following steps:

  1. Create a connection to the local user account database by using the [ADSI] type accelerator and WinNT.
  2. Use the connection to call the Create method, and specify two values for the method call: Group in the first position and the name of the group in the second position.
  3. Call SetInfo to write the group back to the local account database.
  4. Specify a value for the description.
  5. Call Setinfo again to write the description to the group.

  Notes 

  • When creating a local group, you must open the Windows PowerShell console or the Windows PowerShell ISE with Admin rights
  • When using WinNT, it must be capitalized exactly like this: WinNT.

At this point, there are no Windows PowerShell cmdlets from Microsoft that make it easy to create a local user account or a local group. Although it is possible to use the Desired State Configuration (DSC ) provider and the local account provider, this requires Windows PowerShell 4.0. There are a couple of modules written, such as my Local Account Management module, which expose advanced functions to make this easier. Other than that, it is old-school ADSI to the rescue.

Create the connection to the local account database

The first thing I do is use the ADSI type accelerator and the WinNT provider to make a connection to the local account database on my computer. I store the returned object in a variable named $cn as shown here:

$cn = [ADSI]”WinNT://edlt”

Call the create method to create the group

When I have my connection to the local account database, I can call the Create method. This method does not show up via Tab expansion or Get-Member. But it is available, and it does work. When I call the Create method, I supply two values. The first is the keyword Group, and the second is the name of the group. In the following example, I call the group mygroup:

$group = $cn.Create(“Group”,”mygroup”)

Call SetInfo

Now I need to call the SetInfo method to write the object back to the local account database:

PS C:> $group.setinfo

 

OverloadDefinitions                                                           

——————-                     

Once again, note that the SetInfo method does not appear via Tab expansion. When I call this method, I must include empty parenthesis ( () ) at the end of the method call, or else the syntax appears. Here is the command I use:

$group.setinfo()

Add a description

Now I want to add a description to the group. This is optional, but I consider it a best practice from when I used to be a network administrator. I would often find groups and service accounts that were created with no description and no information as to why they were there or what they were used for. By adding a description, the group becomes self-documenting. When I see a group with a description of “test group” I can be pretty safe in deleting it. Even better is the description “safe to delete.” Here is the command:

$group.description = “Test group”

$group.SetInfo()

The complete script is shown here:

# CreateLocalGroup.ps1

 

$cn = [ADSI]”WinNT://edlt”

$group = $cn.Create(“Group”,”mygroup”)

$group.setinfo()

$group.description = “Test group”

$group.SetInfo()

That is all there is using Windows PowerShell to creating a local group. Obviously, I need to add members to the group, and that is what I will discuss tomorrow. I can also use standard Windows PowerShell techniques to test for things like if the group exists or to create multiple groups.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Comments (3)

  1. Slawek says:

    It doesn’t work…
    Exception calling "setinfo" with "0" argument(s): "Nieokreślony błąd.
    "
    At line:8 char:1
    + $group.setinfo()
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

    Exception setting "description": "Cannot set the Value property for PSMemberInfo object of type "System.Management.Automation.PSMethod"."
    At line:10 char:1
    + $group.description = "Test group"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], SetValueInvocationException
    + FullyQualifiedErrorId : ExceptionWhenSetting

    Exception calling "SetInfo" with "0" argument(s): "Nieokreślony błąd.
    "
    At line:12 char:1
    + $group.SetInfo()
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

  2. Anatoli says:

    I had the exact same error… Any updates on this?

  3. Brian says:

    When copying the text make sure that all the double quotes are correct. Fixing the double quotes made the script work fine for me.

Skip to main content