Create a Universal Security Group

So you say that you’d really like to know how to create a group that can be used for a custom Role-Based Access Control (RBAC) role? Well, let’s see what we can do to help you out.


Note. You say what you’d really like to know is this: what the heck is a custom Role-Based Access Control role? For that information, take a look at the article A Brief Introduction to RBAC.

Creating a group that can be used for a custom RBAC role is actually pretty easy: you just create an Active Directory security group. Well, of course, that group does has to be a universal security group. Oh, and it has to be housed in the Users container in Active Directory. And, of course it – you know what? Why don’t we just use a script instead:

$groupName = $args[0]


$domainName = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
$domainName = $domainName -replace ".", ",dc="


$ou = [ADSI] "LDAP://cn=Users,dc=$domainName"
$group =  $ou.Create("group", "cn=$groupName")
$group.Put("SamAccountName", $groupName)
$group.Put("groupType", -2147483640)

To use the preceding script, copy the code to your favorite text editor (we still like good old Notepad) and then save the file with a .ps1 file extension (for example, C:ScriptsNew-RBACGroup.ps1). All you have to do then is run the script, being sure to include the name to be given your new group as the sole script parameter:

C:ScriptsNew-RBACGroup.ps1 "LitwareincHelpDesk"

The script will then:

1.   Retrieve the name of the current domain. And, yes, that means that the group will, by default, be created in the current domain. You’ll have to make a few modifications to the script if you want to be able to create groups in any domain.

2.   Uses the –replace operator to put the domain name in the proper format. For example, if the domain is named the script reformats the name so it looks like this: litwareinc,dc=com.

3.   Binds to the Users container in the current domain and creates a new universal security group, using the name you entered as your script parameter as the groups CN and SamAccountName.

That’s pretty much all it does: it creates a new security group. But, then again, what else would you expect a script that creates a new security group to do?


Skip to main content