active directory groups

Active Directory Groups Types


The Active Directory groups is a collection of Active Directory objects. The group can include users, computers, other groups and other AD objects. The administrator manages the group as a single object. In Windows there are 7 types of groups: two domain groups types with three scope in each and a local security group. In this article, we’ll talk about the different types of Active Directory groups, the differences between them, group scopes, and will show you how to create AD groups in several ways.

Types of Active Directory Groups

There are two types of AD groups:

  • Active Directory Security Groups. This type of group is used to provide access to resources. For example, you want to grant a specific group access to files on a shared folder. To do this, you need to create a security group;
  • Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users in the group. This type of group cannot be used to provide access to domain resources, because they are not security enabled.

Note. Security groups can also be assigned with email attributes and used in mailing lists, but it is not recommended.

For each type of group, there are three group scopes:

Domain local. Used to manage access permissions to resources (files, folders and other types of resources) only in the domain where it was created. A local group cannot be used in other domains (however, a local group may include users from another domain). A local group can belong to another local group, but it cannot be included in the global group.

Global. This group type can be used to provide access to resources in the another domain. In this group, you can add only accounts from the same domain in which the group was created. A global group can be included in other global and local groups.

Universal. It is recommended to use it in big Active Directory forests. Using this group scope, you can define roles and manage resources that are distributed across multiple domains. If your network has many branches connected by WAN channels, it is desirable to use universal groups only for rarely changing groups. Because changing the universal group causes the global catalog to be replicated throughout the whole enterprise.

There are also local groups. These groups are created in the local Security Accounts Administrator (SAM) database of the only one computer. Difference from domain groups: local groups work even if domain controllers are not available.

Creating a Group Using the ADUC snap-in

The easiest way to create a new group is to use the Active Directory Users and Computers graphical console. Go to the AD organizational unit in which you want to create the group, right click on it and select New > Group.

active directory groups

Specify the group name, select the group type and scope, and click OK.

active directory security groups

To add a user to the group, locate the group in the Active Directory Users and Computers console and double-click on it. In the group properties window, click the Members tab and use the Add button to add users, computers, or other groups.

security groups

You can also add a user to the group by right-clicking on it and selecting the item Add to a group. This is quite handy when bulk users are added to a group.

ad security groups

How to Create an Active Directory Groups Using PowerShell?

To create Active Directory groups, use the PowerShell New-ADGroup cmdlet.
The type of the Security or Distribution group is specified using the -GroupCategory argument. The scope of the group is specified using the parameter GroupScope (valid values: DomainLocal, Global or Universal).

To create a new global distribution group in the specified OU, you can use the command:

New-ADGroup -Path "OU=Groups,OU=Brasil,DC=theitbros,DC=com" -Name "BrasilUsers" -GroupScope Global -GroupCategory Distribution

Using the following command, you can create a new security group:

New-ADGroup –Name RemoteAccessUsers  -GroupScope Universal -GroupCategory Security -Path "OU=Groups,OU=USA,DC=theitbros,DC=com"

Now you can add users to this group using Add-ADGroupMember cmdlet:

Add-ADGroupMember RemoteAccessUsers  -Members user1,user2,user3

You can list members of Active Directory groups using this method.

You may also like:

Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
FSMO Role: Infrastructure Master We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role — Infrastru...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...

Add Your Comment