Create a Universal Security Group
Published May 20 2019 02:13 PM 632 Views
Occasional Visitor
First published on TECHNET on Jun 06, 2010

So you say that you’d really like to know how to create a group that can be used for a custom Role-Based Access Control (RBAC) role? Well, let’s see what we can do to help you out.

Note . You say what you’d really like to know is this: what the heck is a custom Role-Based Access Control role? For that information, take a look at the article A Brief Introduction to RBAC .

Creating a group that can be used for a custom RBAC role is actually pretty easy: you just create an Active Directory security group. Well, of course, that group does has to be a universal security group. Oh, and it has to be housed in the Users container in Active Directory. And, of course it – you know what? Why don’t we just use a script instead:

$groupName = $args[0]

$domainName = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
$domainName = $domainName -replace ".", ",dc="

$ou = [ADSI] "LDAP://cn=Users,dc=$domainName"
$group = $ou.Create("group", "cn=$groupName")
$group.Put("SamAccountName", $groupName)
$group.Put("groupType", -2147483640)

To use the preceding script, copy the code to your favorite text editor (we still like good old Notepad) and then save the file with a .ps1 file extension (for example, C:ScriptsNew-RBACGroup.ps1). All you have to do then is run the script, being sure to include the name to be given your new group as the sole script parameter:

C:ScriptsNew-RBACGroup.ps1 "LitwareincHelpDesk"

The script will then:

1. Retrieve the name of the current domain. And, yes, that means that the group will, by default, be created in the current domain. You’ll have to make a few modifications to the script if you want to be able to create groups in any domain .

2. Uses the –replace operator to put the domain name in the proper format. For example, if the domain is named the script reformats the name so it looks like this: litwareinc,dc=com.

3. Binds to the Users container in the current domain and creates a new universal security group, using the name you entered as your script parameter as the groups CN and SamAccountName.

That’s pretty much all it does: it creates a new security group. But, then again, what else would you expect a script that creates a new security group to do?

Version history
Last update:
‎May 20 2019 02:13 PM
Updated by: