Create a SharePoint group with permissions and add an AD group to it

Requirement

Create a SharePoint group in a site collection
Assign that group an existing permission for Site Permissions list
Add an Active Directory group to that SharePoint group
Read the values from a CSV file
Repeat for 1000 groups spread across multiple site collections
The Site Collection Admin will run the script and be added as owner automatically

Solution

function global:New-SPGroup {
#Parameters that the script offers out to use,
# e.g. New-SPGroup -SiteCollection “http://intranet/sitecollection” -ADGroupName “domain\ADgroup” -SPGroupName “SharePoint Group 1” -SPGroupDescription “Group Description” -SPGroupPermission “Permission”
[CmdletBinding()]
Param(
[Microsoft.SharePoint.PowerShell.SPWebPipeBind]
[string]$SiteCollection,
[string]$ADGroupName,
[string]$SPGroupName,
[string]$SPGroupDescription,
[string]$SPGroupPermission
)

#Required variabales for dev or single item runs, remove # and highlight from here down to above CSV section in Powershell ISE
#$SiteCollection = “http://site/sitecollection”
#$ADGroupName = “domain\adgroup”
#$SPGroupName = “My Test Group A1”
#$SPGroupDescription = “Test Group A1’s Description” #Note: do not use” – ” in description, i.e. space hyphen space
#$SPGroupPermission = “Read”

#Start of script
$site = Get-SPWeb $SiteCollection

#Check if the group already exists
if ($site.SiteGroups[“SPGroupName”] -eq $null)
{

#Ensure Group/User is part of site collection users beforehand and add them if needed
$site.EnsureUser(“$ADGroupName”)

# Get the AD Group/User in a format that PowerShell can use otherwise there will be a string error
$ADGroupSPFriendly = $site | Get-SPUser $ADGroupName

#Create the SharePoint Group – Group Name, Group Owner, Group Member, Group Description. Can’t add AD group yet…
$NewSPGroup = $site.SiteGroups.Add($SPGroupName, $site.CurrentUser, $site.CurrentUser, $SPGroupDescription)
$site.AssociatedGroups.Add($site.SiteGroups[“$SPGroupName”]);
$NewSPAccount = $site.SiteGroups[“$SPGroupName”]

#Assign the Group permission
$GroupAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($NewSPAccount)
$GroupRole = $site.RoleDefinitions[“$SPGroupPermission”]
$GroupAssignment.RoleDefinitionBindings.Add($GroupRole)
$site.RoleAssignments.Add($GroupAssignment)

#Add the AD Group/User to the group, can’t be done during group creation when using Powershell otherwise errors so is done now.
Set-SPUser -Identity $ADGroupSPFriendly -Web $SiteCollection -Group $SPGroupName
}
$site.Dispose()
}

#Read from the CSV input file
#CSV file must have header row – SiteColl, AdSecGroup, SPSecGroupName, SPGroupDesc, SPGroupPerm
#No “” around any items in the CSV file are needed
$csv = Import-csv -path D:\DEVGroupNameCSVFile2.csv
if ($csv -ne $null) {
foreach($line in $csv)
{
[string]$SiteCollection = $line.SiteColl;
[string]$ADGroupName = $line.AdSecGroup;
[string]$SPGroupName = $line.SPSecGroupName;
[string]$SPGroupDescription = $line.SPGroupDesc;
[string]$SPGroupPermission = $line.SPGroupPerm

New-SPGroup -Site $SiteCollection -ADGroupName $ADGroupName -SPGroupName $SPGroupName -SPGroupDescription $SPGroupDescription -SPGroupPermission $SPGroupPermission;
}
}

Download Script here

I hope someone else finds this script useful since all I found on the web were partial answers at best, and with a few solutions that didn’t match the requirement.

Errors encountered along the way and running the script

“You cannot add a domain group to a group.” – You can however add your AD group to the SharePoint group after is it created, just not while you are creating it. Resolved by the last part of the function.

Exception calling “Add” with “4” argument(s): “The specified name is already in use. Please try again with a new name.” – As it implies, this is a duplicate item in your CSV file.