The Active Directory groups is a collection of Active Directory objects. The group can include users, computers, other groups and other AD objects. The administrator manages the group as a single object. In Windows there are 7 types of groups: two domain groups types with three scope in each and a local security group. In this article, we’ll talk about the different types of Active Directory groups, the differences between them, group scopes, and will show you how to create AD groups in several ways.
Types of Active Directory Groups
There are two types of AD groups:
- Active Directory Security Groups. This type of group is used to provide access to resources (security principal). For example, you want to grant a specific group access to files on a network shared folder. To do this, you need to create a security group;
- Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users (recipients) in the group. This type of group cannot be used to provide access to domain resources, because they are not security enabled.
Note. You can assign an email attributes to the security group (by converting it to mail-enable security group) and use in in mailing lists, but it is not recommended.
Technically, Distribution groups differ from Security Enabled groups by one bit in the groupType attribute. For a Security group, this attribute will contain the SECURITY_ENABLED bit.
There are three group scopes for each group type:
- Domain local. Used to manage access permissions to different domain resources (files and folders NTFS permissions, remote desktop access, providing Windows privileges, using in GPO security filtering, etc.) only in the domain where it was created. A local group cannot be used in other domains (however, a local group may include users from another domain). A local group can be contained in another local group, but it cannot be added to the global group.
- Global. This group type can be used to provide access to resources in the another domain. In this group, you can add only accounts from the same domain in which the group was created. A global group can be added in other global and local groups.
- Universal. It is recommended to use it in large Active Directory forests. Using this group scope, you can define roles and manage resources that are distributed across multiple domains. If your network has many branches connected by WAN channels, it is desirable to use universal groups only for rarely changing groups. Because changing the universal group causes the Global Catalog to be replicated throughout the whole enterprise.
There are also local groups. These groups are created in the local Security Accounts Administrator (SAM) database on the specific computer. Difference from domain groups: local groups work even if the domain controllers cannot be contacted.
You can change AD Group’s Scope or Type. But there are several conditions:
- You can convert Global Security Group to a Universal if the group is not part of another global group;
- You can convert a local domain group into a universal one if the another local domain group it is not added to the list of its members;
- An universal group can be converted to a local domain group without any restrictions;
- An universal group can be transformed into a global one if it does not contain another universal group as a member;
Default (Built-in) AD Domain Groups
When you create a new AD domain, several predefined (built-in) security groups with a DomainLocal scope are created. These predefined groups can be used to control access to shared resources and delegate specific administrative permissions on the domain level. Default AD groups are located in a special AD container Builtin.
Only user accounts can be added in these groups: you cannot default AD group to each other (group nesting), or add user-defined domain groups to them.
You can list the predefined AD group using PowerShell:
Get-ADGroup -SearchBase 'CN=Builtin,DC=theitbros,DC=com' -Filter * | Format-Table Name,GroupScope,GroupCategory,SID -AutoSize
Administrators DomainLocal Security S-1-5-32-544
Users DomainLocal Security S-1-5-32-545
Guests DomainLocal Security S-1-5-32-546
Print Operators DomainLocal Security S-1-5-32-550
Backup Operators DomainLocal Security S-1-5-32-551
Replicator DomainLocal Security S-1-5-32-552
Remote Desktop Users DomainLocal Security S-1-5-32-555
Network Configuration Operators DomainLocal Security S-1-5-32-556
Performance Monitor Users DomainLocal Security S-1-5-32-558
Performance Log Users DomainLocal Security S-1-5-32-559
Distributed COM Users DomainLocal Security S-1-5-32-562
IIS_IUSRS DomainLocal Security S-1-5-32-568
Cryptographic Operators DomainLocal Security S-1-5-32-569
Event Log Readers DomainLocal Security S-1-5-32-573
Certificate Service DCOM Access DomainLocal Security S-1-5-32-574
RDS Remote Access Servers DomainLocal Security S-1-5-32-575
RDS Endpoint Servers DomainLocal Security S-1-5-32-576
RDS Management Servers DomainLocal Security S-1-5-32-577
Hyper-V Administrators DomainLocal Security S-1-5-32-578
Access Control Assistance Operators DomainLocal Security S-1-5-32-579
Remote Management Users DomainLocal Security S-1-5-32-580
Server Operators DomainLocal Security S-1-5-32-549
Account Operators DomainLocal Security S-1-5-32-548
Pre-Windows 2000 Compatible Access DomainLocal Security S-1-5-32-554
Incoming Forest Trust Builders DomainLocal Security S-1-5-32-557
Windows Authorization Access Group DomainLocal Security S-1-5-32-560
Terminal Server License Servers DomainLocal Security S-1-5-32-561
Please note that the built-in AD groups use a special SID format: S-1-5-32-xxx (xxx from 500 to 1000). For regular AD groups, the SID looks like this: S-1-5-21-yyy-zzz, where yyy is the domain identifier, zzz – Relative ID (RID).
Creating a Group Using the ADUC snap-in
The easiest way to create a new group in the AD domain is to use the Active Directory Users and Computers graphical console. Go to the AD organizational unit in which you want to create the group, right click on it and select New > Group.
Specify a unique group name, select the group type and scope, and click OK.
To add a user to the group, search for the group name in the Active Directory Users and Computers console and double-click on it. In the group properties window, click the Members tab and use the Add button to add users, computers, or other groups.
Note that when adding members to a group, searches are performed only for the following types of objects: Users, Groups and Service Accounts. If you want to add an AD object to the security group (such as a computer or contact), click the Object Types and check the options Contacts and Computers. Now you can select all types of Active Directory objects.
You can also add a user to the group by right-clicking on it and selecting the item Add to a group. This is quite handy when you need to bulk add users to a group.
How to Create and Modify Active Directory Groups Using PowerShell?
To create Active Directory groups, use the PowerShell New-ADGroup cmdlet from the Active Directory for Windows PowerShell module. Install the module as described here and import module cmdlets to your PowerShell session:
The type of the Security or Distribution group is specified using the -GroupCategory argument. The scope of the group is specified using the–GroupScope parameter (valid values: DomainLocal, Global or Universal).
To create a new global distribution group in the target OU, you can use the command:
New-ADGroup -Path "OU=Groups,OU=Brasil,DC=theitbros,DC=com" -Name "BrasilUsers" -GroupScope Global -GroupCategory Distribution
If you want to find all distribution groups in your domain, use the following cmdlet:
Get-ADGroup -Filter 'groupcategory -eq "Distribution"'
Using the following command, you can create a new security group:
New-ADGroup –Name RemoteAccessUsers -GroupScope Universal -GroupCategory Security -Path "OU=Groups,OU=USA,DC=theitbros,DC=com"
You can change Active Directory group attributes using the Set-ADGroup cmdlet. For example, you want to add a description to the security group you have created earlier:
Set-ADGroup RemoteAccessUsers –Description “Users that can access corporate network over DirectAccess and VPN server”
Now you can add users to this group using Add-ADGroupMember cmdlet:
Add-ADGroupMember RemoteAccessUsers -Members user1,user2,user3
To get all the information about specified group, use the Get-ADGroup cmdlet:
get-adgroup 'domain admins’
DistinguishedName : CN=Domain Admins,CN=Users,DC=theitbros,DC=com
GroupCategory : Security
GroupScope : Global
Name : Domain Admins
ObjectClass : group
ObjectGUID : f04fbf5d-c917-43fb-9235-b214f6ea4156
SamAccountName : Domain Admins
SID : S-1-5-21-3243688314-1360023605-3291231821-512
You can list (export) members of Active Directory group using the Get-ADGroupMember cmdlet.