An Active Directory group is a special type of object in AD that is used to group together other directory objects. In other words, group is a way of collecting users, computers, groups and other objects into a managed unit. Active Directory groups can be used to grant permissions to access resources, delegate AD administrative tasks, link Group Policy Objects, and in e-mail distribution lists. In this article, we’ll talk about the different types of Active Directory groups, the differences between them, group scopes, and will show you how to create AD groups and manage them in several ways.
Group Types and Scopes in Active Directory
When you create a new group in Active Directory using the dsa.msc graphical snap-in, you must select a Group Type and Group Scope.
Active Directory group types
There are two types of Active Directory group, each with three scopes:
- Security Group — this type of group is used to provide access to resources (security principal). For example, you might want to allow a particular group to read files on a shared network folder. To do this, you need to create a security group, edit the share permissions, and add this group to the DACL;
- Distribution Group — used to create e-mail distribution lists (usually used in Microsoft Exchange Server and in Outlook). An e-mail sent to such a group will reach all users (recipients) in the group. This type of group cannot be used to provide access to domain resources, because they are not security enabled.
Note. You can assign email attribute to the security group and use it in distribution lists by converting it to a mail-enabled security group (but it is not recommended).
Active Directory group scopes
There are three group scopes in Active Directory:
- Domain local — used to manage access permissions to various domain only in the domain where it was created. A local domain group cannot be used in other domains (however, a local group may include users from another domain). A local group can be included in another local group, but it cannot be added to the global group;
- Global — used to grant access to resources in another domain. You can only add accounts to this group from the same domain in which the group was created. A global group can be added to other global and local groups;
- Universal — recommended for use in large Active Directory forests. Universal Group allows you to define roles and manage resources distributed across multiple domains. It is desirable to use universal groups only for rarely changing groups. This is because changing the Universal Group causes the Global Catalog to be replicated throughout the organization.
Hint. AD groups can be members of other groups. This is called nested groups. Nested groups are a useful way to manage in AD based on business roles and functions.
There are also local groups. These groups are created in the local Security Accounts Administrator (SAM) database on each computer. The difference from domain groups is that local groups work even if an Active Directory domain controller cannot be contacted.
You can change the Scope or Type of the AD group. But there are some conditions:
- You can convert a Global Security Group to a Universal if the group is not part of another Global group;
- You can convert a Local domain group to a Universal one if it does not contain another local domain group as a member;
- A Universal group can be converted to a Local domain group without any restrictions;
- A Universal group can be transformed into a Global one if it does not include another universal group as a member.
Active Directory Built-in Groups
When you create a new AD domain, several predefined (built-in) security groups are created with a DomainLocal scope. These predefined groups can be used to control access to shared resources and delegate specific administrative permissions on the domain level. The default AD groups are located in a special AD container Builtin.
Note. You cannot add built-in AD groups to each other.
You can list the predefined AD group using PowerShell:
Get-ADGroup -SearchBase 'CN=Builtin,DC=theitbros,DC=com' -Filter * | Format-Table Name,GroupScope,GroupCategory,SID -AutoSize
Administrators DomainLocal Security S-1-5-32-544 Users DomainLocal Security S-1-5-32-545 Guests DomainLocal Security S-1-5-32-546 Print Operators DomainLocal Security S-1-5-32-550 Backup Operators DomainLocal Security S-1-5-32-551 Replicator DomainLocal Security S-1-5-32-552 Remote Desktop Users DomainLocal Security S-1-5-32-555 Network Configuration Operators DomainLocal Security S-1-5-32-556 Performance Monitor Users DomainLocal Security S-1-5-32-558 Performance Log Users DomainLocal Security S-1-5-32-559 Distributed COM Users DomainLocal Security S-1-5-32-562 IIS_IUSRS DomainLocal Security S-1-5-32-568 Cryptographic Operators DomainLocal Security S-1-5-32-569 Event Log Readers DomainLocal Security S-1-5-32-573 Certificate Service DCOM Access DomainLocal Security S-1-5-32-574 RDS Remote Access Servers DomainLocal Security S-1-5-32-575 RDS Endpoint Servers DomainLocal Security S-1-5-32-576 RDS Management Servers DomainLocal Security S-1-5-32-577 Hyper-V Administrators DomainLocal Security S-1-5-32-578 Access Control Assistance Operators DomainLocal Security S-1-5-32-579 Remote Management Users DomainLocal Security S-1-5-32-580 Server Operators DomainLocal Security S-1-5-32-549 Account Operators DomainLocal Security S-1-5-32-548 Pre-Windows 2000 Compatible Access DomainLocal Security S-1-5-32-554 Incoming Forest Trust Builders DomainLocal Security S-1-5-32-557 Windows Authorization Access Group DomainLocal Security S-1-5-32-560 Terminal Server License Servers DomainLocal Security S-1-5-32-561
Please note that the built-in AD groups use a special SID format: S-1-5-32-xxx (xxx from 500 to 1000). For regular AD groups, the SID looks like this: S-1-5-21-yyy-zzz, where yyy is the domain identifier, zzz – Relative ID (RID).
There are also some built-in privileged groups in Active Directory such as Domain Admins, Enterprise Admins, DnsAdmins, etc.
How to Create a Group in Active Directory with the ADUC Snap-in
You must be a member of the Account Operators, Domain Admins, or Enterprise Admins group to create, modify, or delete a group in Active Directory. You can also delegate the privileges to manage groups in specific OUs to non-admin users.
The easiest way to create a new group in the AD domain is to use the Active Directory Users and Computers snap-in. Go to the target AD Organizational Unit in which you want to create the group, right-click on it, and select New > Group.
Specify a unique group name, select the group type and scope, and click OK.
In order to add an object to the group members, go to the Members tab and use the Add button to add users, computers, or other groups.
Note that when adding members to a group, searches are performed only for the following types of objects: Users, Groups, and Service Accounts. If you want to add an AD object to the security group (such as a computer or contact), click the Object Types, and check the options Contacts and Computers. You can now select any type of Active Directory object.
You can also add a user to the group by right-clicking on it and selecting the item Add to a group. This is useful if you need to add users to a group in bulk.
Note that on the Member tab, in the properties of any Active Directory user, its Primary Group is specified. Primary group ID was used to support the UNIX POSIX model to control access to resources. In Active Directory, the PrimaryGroupID attribute for a user must be the RID (relative identifier) of the group to which the user is to be associated. By default, all Active Directory users have a PrimaryGroupID of 513 (Domain User group).
Only Global or Universal security groups can be specified as the primary group.
In most cases, you should not change the Primary Group attribute except in special cases related to POSIX applications and Mac clients.
You can also create new security groups from the graphical Active Directory Administrative Center (dsac.exe). Right-click on the domain name or OU and select New > Group.
Fill in the following mandatory fields:
- Group name.
- Group Scope (Global/Domain local/Universal).
- Group type (Security/Distribution).
Here you can also set a description for the group, enable/disable the Protect from accidental deletion option, add users to the group, etc.
Click OK to create the group.
To remove a user from a group, search for the group by name using Global Search, and open its properties. Go to the Members tab, select the user you want to remove and click the Remove button. Click OK to save your changes.
Create and Modify Active Directory Group Using PowerShell
To create Active Directory groups, use the PowerShell New-ADGroup cmdlet from the Active Directory for Windows PowerShell module.
The type of the group (Security or Distribution) is specified using the -GroupCategory argument. The scope of the group is specified using the -GroupScope parameter (valid values: DomainLocal, Global, or Universal).
You can use the command to create a new global distribution group in the target OU:
New-ADGroup -Path "OU=Groups,OU=Brasil,DC=theitbros,DC=com" -Name "BrasilUsers" -GroupScope Global -GroupCategory Distribution
To find all the distribution groups in your domain, use the following cmdlet:
Get-ADGroup -Filter 'groupcategory -eq "Distribution"'
Use the following command to a new security group:
New-ADGroup –Name RemoteAccessUsers -GroupScope Universal -GroupCategory Security -Path "OU=Groups,OU=USA,DC=theitbros,DC=com"
You can change Active Directory group attributes using the Set-ADGroup cmdlet. For example, you want to add a description to the security group you have created earlier:
Set-ADGroup RemoteAccessUsers –Description “Users that can access corporate network over DirectAccess and VPN server”
In addition, you can use the Set-ADGroup cmdlet to change the scope of the group. For example, use the following command to convert the Global Distribution group to the Universal Security group type:
Get-AdGroup RemoteAccessUsers | Set-ADGroup -GroupScope Universal -GroupCategory Security
Now you can add users to this group using Add-ADGroupMember cmdlet:
Add-ADGroupMember RemoteAccessUsers -Members user1,user2,user3
To remove a user from an AD group, use the Remove-ADGroupMember cmdlet:
Remove-ADGroupMember -Identity RemoteAccessUsers -Members user1, user2
Confirm the user membership removal by pressing Y > Enter.
To completely remove an Active Directory group, run:
Remove-ADGroup -Identity RemoteAccessUsers
When you delete a group, you will be prompted to confirm the deletion. To disable removal confirmation, add the Confirm parameter:
Remove-ADGroup -Identity RemoteAccessUsers –Confirm:$false
To get all the information about the specified group, use the Get-ADGroup cmdlet:
get-adgroup 'domain admins’
DistinguishedName : CN=Domain Admins,CN=Users,DC=theitbros,DC=com GroupCategory : Security GroupScope : Global Name : Domain Admins ObjectClass : group ObjectGUID : f04fbf5d-c917-43fb-9235-b214f6ea4156 SamAccountName : Domain Admins SID : S-1-5-21-3243688314-1360023605-3291231821-512
You can calculate the total number of users in the group:
(Get-ADGroupMember -Identity 'Domain Admin').Count
You can list (export) members of the Active Directory group using the Get-ADGroupMember cmdlet.
To list the AD groups that the user account belongs to (including AD nested groups), run the command:
Get-ADUser jbrion -properties memberof | select memberof -expandproperty memberof
Sometimes you need to copy a user’s membership in a large number of AD groups. If the user is a member of a large number of groups, doing this manually is very tedious. To copy all the security groups from one domain user and add them to another user account, use the following PowerShell script:
$SourceADUser= “j.brion" $TargetADUser=”b.semenov” $SourceADGroups = Get-ADPrincipalGroupMembership -Identity $SourceADUser Add-ADPrincipalGroupMembership -Identity $TargetADUser -MemberOf $SourceADGroups
Another useful example. Let’s try to find all AD groups containing *Admin* in the name, and display users who are members of these groups (to display only unique accounts, use the –Unique parameter):
Get-ADGroup -filter 'SamAccountName -like "*Admin*"' | Get-ADGroupMember -recursive|Select-Object -Unique
If the group includes users from other forests, the Get-ADGroupMember cmdlet will return an error:
Get-ADGroupMember : The specified directory service attribute or value does not exist
Hint. The Get-ADGroupMember cmdlet does not support cross-AD forest users.
If you want to get a Primary group ID, use the following PowerShell script:
$ADdomainSID = Get-ADDomain | Select-Object -ExpandProperty DomainSID | Select-Object -ExpandProperty Value Get-ADGroup -Identity $($ADdomainSID + "-" + $primaryGroupID)
Active Directory functional levels of Windows Server 2012 R2 and newer support Time-based group membership. This feature allows administrators to assign temporary group membership, which is expressed as a Time to Live (TTL) value. This value will be added to the Kerberos ticket. This is also called the expiring links feature.
You can temporarily add a user to a group using PowerShell. For example, you want to add a user to a security group for only 2 days to assign temporary permissions. Run the following PowerShell command:
Add-ADGroupMember -Identity g_CA_Sales -Members b.jackson -MemberTimeToLive (New-TimeSpan -Days 2)
After two days, the user account will be automatically removed from the group. To view the remaining time (in seconds) that a user will remain in a group:
Get-ADGroup g_CA_Sales -Property member -ShowMemberTimeToLive
In this article, you’ve learned about groups in Active Directory. We’ve covered group types in Active Directory and Scopes, how to create and manage groups using the ADUC GUI and PowerShell.
