New AD group creation

I am wanting to create security group for filtering purposes.

They do not exist yet and I am wanting to create them.

I would like to get all my AD user and select the value of the "Division" field.

With that field I'd like to add them to a group in an OU called "SafetyNet"

If the group that matches the name of their division exist - they would be added to that group. If not, the group would be created and then they would be added.

I imagine it would look something like this:

$users = get-aduser -properties * -filter {enabled -eq '$true' -and division -ne '$null'}

foreach ($user in $users)

{add-adgroupmember -Identity {

    Get-ADGroup $user.division 
    (if (unsure what goes here))


else {
    new-adgroup -name $user.division -SamAccountName $user.division -GroupCategory Security -GroupScope global -path OU=safetynet,DC=smh,DC=org


Open in new window

Jacob DurhamIT Support Analyst II (Lead Infrastructure Engineer)Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dustin SaundersDirector of OperationsCommented:
Something like this, with a few notes.

-I dunno how many domain controllers you have, but you may need to wait after new groups are created for it to propagate.  I added 10.
-If user is already in the group, suppress the action, in case you want to run it multiple times.

$rootOU = "OU=safetynet,DC=smh,DC=org"
$users = Get-ADUser -Filter {enabled -eq $true} -Properties * | ?{ $_.Division -ne $null }

foreach ($user in $users)
    $cn = $user.Division
        Get-ADGroup -Identity $cn

        Write-Host "Creating new group $cn at $rootOU" -ForegroundColor Cyan
        New-ADGroup -Name $cn -SamAccountName $cn -GroupCategory Security -GroupScope Global -Path $rootOU
        $wait = 0
        while($wait -lt 10)
            Write-Host "Waiting $(10-$wait) seconds for AD propagation" -ForegroundColor Yellow
            Start-Sleep -Seconds 1


    if (!(Get-ADPrincipalGroupMembership -Identity $user | select -ExpandProperty name).Contains($cn))
        Write-Host "Adding $($user.SAMAccountName) to $cn" -ForegroundColor Green
        Add-ADGroupMember -Identity $cn -Members $user


Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.