The Active Directory groups is a collection of Active Directory objects. The group can include users, computers, other groups and other AD objects. The administrator manages the group as a single object. In Windows there are 7 types of groups: two domain groups types with three scope in each and a local security group. In this article, we’ll talk about the different types of Active Directory groups, the differences between them, group scopes, and will show you how to create AD groups in several ways.
Types of Active Directory Groups
There are two types of AD groups:
- Active Directory Security Groups. This type of group is used to provide access to resources. For example, you want to grant a specific group access to files on a shared folder. To do this, you need to create a security group;
- Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users in the group. This type of group cannot be used to provide access to domain resources, because they are not security enabled.
Note. Security groups can also be assigned with email attributes and used in mailing lists, but it is not recommended.
For each type of group, there are three group scopes:
Domain local. Used to manage access permissions to resources (files, folders and other types of resources) only in the domain where it was created. A local group cannot be used in other domains (however, a local group may include users from another domain). A local group can belong to another local group, but it cannot be included in the global group.
Global. This group type can be used to provide access to resources in the another domain. In this group, you can add only accounts from the same domain in which the group was created. A global group can be included in other global and local groups.
Universal. It is recommended to use it in big Active Directory forests. Using this group scope, you can define roles and manage resources that are distributed across multiple domains. If your network has many branches connected by WAN channels, it is desirable to use universal groups only for rarely changing groups. Because changing the universal group causes the global catalog to be replicated throughout the whole enterprise.
There are also local groups. These groups are created in the local Security Accounts Administrator (SAM) database of the only one computer. Difference from domain groups: local groups work even if domain controllers are not available.
Creating a Group Using the ADUC snap-in
The easiest way to create a new group is to use the Active Directory Users and Computers graphical console. Go to the AD organizational unit in which you want to create the group, right click on it and select New > Group.
Specify the group name, select the group type and scope, and click OK.
To add a user to the group, locate the group in the Active Directory Users and Computers console and double-click on it. In the group properties window, click the Members tab and use the Add button to add users, computers, or other groups.
You can also add a user to the group by right-clicking on it and selecting the item Add to a group. This is quite handy when bulk users are added to a group.
How to Create an Active Directory Groups Using PowerShell?
To create Active Directory groups, use the PowerShell New-ADGroup cmdlet.
The type of the Security or Distribution group is specified using the -GroupCategory argument. The scope of the group is specified using the parameter –GroupScope (valid values: DomainLocal, Global or Universal).
To create a new global distribution group in the specified OU, you can use the command:
New-ADGroup -Path "OU=Groups,OU=Brasil,DC=theitbros,DC=com" -Name "BrasilUsers" -GroupScope Global -GroupCategory Distribution
Using the following command, you can create a new security group:
New-ADGroup –Name RemoteAccessUsers -GroupScope Universal -GroupCategory Security -Path "OU=Groups,OU=USA,DC=theitbros,DC=com"
Now you can add users to this group using Add-ADGroupMember cmdlet:
Add-ADGroupMember RemoteAccessUsers -Members user1,user2,user3
You can list members of Active Directory groups using this method.