Active Directory Groups Types

The Active Directory groups are a collection of Active Directory objects. The group can include users, computers, other groups, and other AD objects. The administrator manages the group as a single object. In Windows, there are 7 types of groups: two domain group types with three scope in each and a local security group. In this article, we’ll talk about the different types of Active Directory groups, the differences between them, group scopes, and will show you how to create AD groups and manage them in several ways.

Types of Active Directory Groups

Active Directory groups can be used:

  • To simplify the administration by assigning share (resource) permissions to a group rather than individual users. When you assign permissions to a group, all of its members have the same access to the resource;
  • To delegate Active Directory administrative tasks by assigning permissions to a group. In the future, you can add new members to the group who need the permissions granted by this group;
  • Link Group Policy objects (GPOs) to groups to apply custom settings by using Security Filtering or Group Policy Preferences Item-Level Targeting;
  • To create email distribution lists.

There are two types of AD groups:

  • Active Directory Security Groups. This type of group is used to provide access to resources (security principal). For example, you want to grant a specific group access to files on a network shared folder. To do this, you need to create a security group;
  • Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users (recipients) in the group. This type of group cannot be used to provide access to domain resources, because they are not security enabled.

Note. You can assign an email attribute to the security group (by converting it to a mail-enable security group) and use it in mailing lists (but it is not recommended).

Technically, Distribution groups differ from Security Enabled groups by one bit in the groupType attribute. For a Security group, this attribute will contain the SECURITY_ENABLED bit.


There are three group scopes for each group type:

  • Domain local. Used to manage access permissions to different domain resources (files and folders NTFS permissions, remote desktop access, providing Windows privileges, using in GPO security filtering, etc.) only in the domain where it was created. A local group cannot be used in other domains (however, a local group may include users from another domain). A local group can be contained in another local group, but it cannot be added to the global group;
  • Global. This group type can be used to provide access to resources in another domain. In this group, you can add only accounts from the same domain in which the group was created. A global group can be added to other global and local groups;
  • Universal. It is recommended to use it in large Active Directory forests. Using this group scope, you can define roles and manage resources that are distributed across multiple domains. If your network has many branches connected by WAN channels, it is desirable to use universal groups only for rarely changing groups. Because changing the universal group causes the Global Catalog to be replicated throughout the whole enterprise.

Hint. AD groups can be members of other groups. This is called nested groups. Nested groups are a useful way to manage in AD based on business roles and functions.

There are also local groups. These groups are created in the local Security Accounts Administrator (SAM) database on the specific computer. The difference from domain groups: local groups work even if the domain controllers cannot be contacted.

You can change the AD Group’s Scope or Type. But there are several conditions:

  • You can convert Global Security Group to a Universal if the group is not part of another global group;
  • You can convert a local domain group into a universal one if another local domain group is not added to the list of its members;
  • A universal group can be converted to a local domain group without any restrictions;
  • A universal group can be transformed into a global one if it does not contain another universal group as a member.

Default (Built-in) AD Domain Groups

When you create a new AD domain, several predefined (built-in) security groups with a DomainLocal scope are created. These predefined groups can be used to control access to shared resources and delegate specific administrative permissions on the domain level. Default AD groups are located in a special AD container Builtin.

active directory groups

Only user accounts can be added to these groups: you cannot add built-in AD group to each other (group nesting), or add user-defined domain groups to them.

You can list the predefined AD group using PowerShell:

Get-ADGroup -SearchBase 'CN=Builtin,DC=theitbros,DC=com' -Filter * | Format-Table Name,GroupScope,GroupCategory,SID -AutoSize

ad groups

Administrators DomainLocal Security S-1-5-32-544

Users DomainLocal Security S-1-5-32-545

Guests DomainLocal Security S-1-5-32-546

Print Operators DomainLocal Security S-1-5-32-550

Backup Operators DomainLocal Security S-1-5-32-551

Replicator DomainLocal Security S-1-5-32-552

Remote Desktop Users DomainLocal Security S-1-5-32-555

Network Configuration Operators DomainLocal Security S-1-5-32-556

Performance Monitor Users DomainLocal Security S-1-5-32-558

Performance Log Users DomainLocal Security S-1-5-32-559

Distributed COM Users DomainLocal Security S-1-5-32-562

IIS_IUSRS DomainLocal Security S-1-5-32-568

Cryptographic Operators DomainLocal Security S-1-5-32-569

Event Log Readers DomainLocal Security S-1-5-32-573

Certificate Service DCOM Access DomainLocal Security S-1-5-32-574

RDS Remote Access Servers DomainLocal Security S-1-5-32-575

RDS Endpoint Servers DomainLocal Security S-1-5-32-576

RDS Management Servers DomainLocal Security S-1-5-32-577

Hyper-V Administrators DomainLocal Security S-1-5-32-578

Access Control Assistance Operators DomainLocal Security S-1-5-32-579

Remote Management Users DomainLocal Security S-1-5-32-580

Server Operators DomainLocal Security S-1-5-32-549

Account Operators DomainLocal Security S-1-5-32-548

Pre-Windows 2000 Compatible Access DomainLocal Security S-1-5-32-554

Incoming Forest Trust Builders DomainLocal Security S-1-5-32-557

Windows Authorization Access Group DomainLocal Security S-1-5-32-560

Terminal Server License Servers DomainLocal Security S-1-5-32-561

Please note that the built-in AD groups use a special SID format: S-1-5-32-xxx (xxx from 500 to 1000). For regular AD groups, the SID looks like this: S-1-5-21-yyy-zzz, where yyy is the domain identifier, zzz – Relative ID (RID).

Active Directory Group Naming Convention Best Practices

Group names in Active Directory domain should be descriptive, meaningful, and simple. Considering that sometimes all three conditions may seem impossible, you can compose group names according to the following rules:

  • Use only English characters for group names;
  • For the first letter of the group name, use the letter that indicates the group type (G, D, or U). You can find out the group type in the group properties in ADUC, but it is convenient to see the group type in the name;
  • In the name of the global group, specify the name of the department for which you are creating this group. For example, Store, Marketing, Shop, Managers, etc,;
  • In the domain local group name, specify the purpose of the group and the type of access permission (R/RW). Since domain local groups are used to set access permissions to various resources, this should be reflected in the group name.

Creating a Group Using the ADUC Snap-in

The easiest way to create a new group in the AD domain is to use the Active Directory Users and Computers graphical console. Go to the AD organizational unit in which you want to create the group, right-click on it, and select New > Group.

active directory group types

Specify a unique group name, select the group type and scope, and click OK.

ad group types

To add a user to the group, search for the group name in the Active Directory Users and Computers console and double-click on it. In the group properties window, click the Members tab and use the Add button to add users, computers, or other groups.

active directory group

Note that when adding members to a group, searches are performed only for the following types of objects: Users, Groups, and Service Accounts. If you want to add an AD object to the security group (such as a computer or contact), click the Object Types, and check the options Contacts and Computers. Now you can select all types of Active Directory objects.


ad group type

You can also add a user to the group by right-clicking on it and selecting the item Add to a group. This is quite handy when you need to bulk add users to a group.

ad group

Note that on the Member tab, in the properties of any Active Directory user, its Primary Group is specified. Primary group ID was used to support the UNIX POSIX model to control access to resources. In Active Directory, the PrimaryGroupID attribute for a user must be the RID (relative identifier) of the group to which the user is to be associated. By default, all Active Directory users have a PrimaryGroupID of 513 (Domain User group).

Global or universal security groups can be specified as the primary group. This means you cannot specify a local domain or any distribution group as the primary group.

Not all resources support a primary-group-id setting. In most cases, you should not change the Primary Group attribute except in special cases related to POSIX applications and Mac clients.

types of groups in active directory

You can also create new groups from the graphical Active Directory Administrative Center (dsac.exe). Right-click on the domain name or OU and select New > Group.


active directory user groups

Fill in the following mandatory fields:

  • Group name.
  • Group Scope (Global/Domain local/Universal).
  • Group type (Security/Distribution).

Here you can also set a description for the group, enable/disable the Protect from accidental deletion option, add users to the group, etc.

Click OK to create the group.

groups in active directory

To remove a user from a group, search for the group by name using Global Search and open its properties. Go to the Members tab, select the user you want to remove and click the Remove button. Click OK to save your changes.

what is an ad group

How to Create and Modify Active Directory Groups Using PowerShell?

To create Active Directory groups, use the PowerShell New-ADGroup cmdlet from the Active Directory for Windows PowerShell module. Install the Active Directory PowerShell module and import module cmdlets to your PowerShell session:

Import-Module ActiveDirectory

The type of the Security or Distribution group is specified using the -GroupCategory argument. The scope of the group is specified using the –GroupScope parameter (valid values: DomainLocal, Global, or Universal).

To create a new global distribution group in the target OU, you can use the command:

New-ADGroup -Path "OU=Groups,OU=Brasil,DC=theitbros,DC=com" -Name "BrasilUsers" -GroupScope Global -GroupCategory Distribution

If you want to find all distribution groups in your domain, use the following cmdlet:

Get-ADGroup -Filter 'groupcategory -eq "Distribution"'

Using the following command, you can create a new security group:

New-ADGroup –Name RemoteAccessUsers  -GroupScope Universal -GroupCategory Security -Path "OU=Groups,OU=USA,DC=theitbros,DC=com"

You can change Active Directory group attributes using the Set-ADGroup cmdlet. For example, you want to add a description to the security group you have created earlier:

Set-ADGroup RemoteAccessUsers –Description “Users that can access corporate network over DirectAccess and VPN server”

Now you can add users to this group using Add-ADGroupMember cmdlet:

Add-ADGroupMember RemoteAccessUsers  -Members user1,user2,user3

To remove a user from an AD group, use the Remove-ADGroupMember cmdlet:

Remove-ADGroupMember -Identity RemoteAccessUsers  -Members user1, user2

Confirm the user membership removal by pressing Y > Enter.

To completely remove an Active Directory group, run:

Remove-ADGroup -Identity RemoteAccessUsers 

When you delete a group, you will be prompted to confirm the deletion. To disable removal confirmation, add the Confirm parameter:

Remove-ADGroup -Identity RemoteAccessUsers  –Confirm:$false

To get all the information about the specified group, use the Get-ADGroup cmdlet:

get-adgroup 'domain admins’

active directory group type

DistinguishedName : CN=Domain Admins,CN=Users,DC=theitbros,DC=com

GroupCategory : Security

GroupScope : Global

Name : Domain Admins

ObjectClass : group

ObjectGUID : f04fbf5d-c917-43fb-9235-b214f6ea4156

SamAccountName : Domain Admins

SID : S-1-5-21-3243688314-1360023605-3291231821-512

You can calculate the total number of users in the group:

(Get-ADGroupMember -Identity 'Domain Admin').Count

You can list (export) members of the Active Directory group using the Get-ADGroupMember cmdlet.

To list the AD groups that the user account belongs to (including nested groups), run the command:

Get-ADUser jbrion -properties memberof | select memberof -expandproperty memberof

ad group meaning

Sometimes the task arises to copy a user’s membership in a large number of AD groups. If the user is a member of a large number of groups, doing it manually is very tedious. To copy all security groups from one domain user and add them to another user account, use the following PowerShell script:

$SourceADUser= “j.brion"


$SourceADGroups = Get-ADPrincipalGroupMembership -Identity $SourceADUser

Add-ADPrincipalGroupMembership -Identity $TargetADUser -MemberOf $SourceADGroups

Another useful example. Let’s try to find all AD groups containing *Admin* in the name, and display users who are members of these groups (to display only unique accounts, use the –Unique parameter):

Get-ADGroup -filter 'SamAccountName -like "*Admin*"' | Get-ADGroupMember -recursive|Select-Object -Unique

If the group includes users from other forests, the Get-ADGroupMember cmdlet will return an error:

Get-ADGroupMember : The specified directory service attribute or value does not exist

Hint. The Get-ADGroupMember cmdlet does not support cross-AD forest users.

If you want to get a Primary group ID, use the following PowerShell script:

$ADdomainSID = Get-ADDomain | Select-Object -ExpandProperty DomainSID | Select-Object -ExpandProperty Value

Get-ADGroup -Identity $($ADdomainSID + "-" + $primaryGroupID)

Active Directory functional levels of Windows Server 2012 R2 and newer support Time-based group membership. This feature allows administrators to assign temporary group membership, which is expressed as a Time to Live (TTL) value. This value will be added to the Kerberos ticket. This is also called the expiring links feature.

You can add a user to a group temporarily using PowerShell. For example, you want to add a user to a security group for only 2 days to assign temporary permissions. Run the following PowerShell command:

Add-ADGroupMember -Identity g_CA_Sales -Members b.jackson -MemberTimeToLive (New-TimeSpan -Days 2)

After two days, the user account will be automatically removed from the group. To view the remaining time (in seconds) that a user will remain in a group, run:

Get-ADGroup g_CA_Sales -Property member -ShowMemberTimeToLive

types of ad groups

In this article, you’ve learned about groups in Active Directory. We’ve covered group types and scope, how to create and manage groups using the ADUC GUI and Windows PowerShell Management Shell.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.