Active Directory Groups Types

The Active Directory groups are a collection of Active Directory objects. The group can include users, computers, other groups, and other AD objects. The administrator manages the group as a single object. In Windows, there are 7 types of groups: two domain groups types with three scope in each and a local security group. In this article, we’ll talk about the different types of Active Directory groups, the differences between them, group scopes, and will show you how to create AD groups in several ways.

Types of Active Directory Groups

There are two types of AD groups:

  • Active Directory Security Groups. This type of group is used to provide access to resources (security principal). For example, you want to grant a specific group access to files on a network shared folder. To do this, you need to create a security group;
  • Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users (recipients) in the group. This type of group cannot be used to provide access to domain resources, because they are not security enabled.

Note. You can assign an email attribute to the security group (by converting it to mail-enable security group) and use it in mailing lists, but it is not recommended.

Technically, Distribution groups differ from Security Enabled groups by one bit in the groupType attribute. For a Security group, this attribute will contain the SECURITY_ENABLED bit.

There are three group scopes for each group type:

  • Domain local. Used to manage access permissions to different domain resources (files and folders NTFS permissions, remote desktop access, providing Windows privileges, using in GPO security filtering, etc.) only in the domain where it was created. A local group cannot be used in other domains (however, a local group may include users from another domain). A local group can be contained in another local group, but it cannot be added to the global group;
  • Global. This group type can be used to provide access to resources in another domain. In this group, you can add only accounts from the same domain in which the group was created. A global group can be added to other global and local groups;
  • Universal. It is recommended to use it in large Active Directory forests. Using this group scope, you can define roles and manage resources that are distributed across multiple domains. If your network has many branches connected by WAN channels, it is desirable to use universal groups only for rarely changing groups. Because changing the universal group causes the Global Catalog to be replicated throughout the whole enterprise.
READ ALSO  Understanding Global Catalog (Active Directory)

There are also local groups. These groups are created in the local Security Accounts Administrator (SAM) database on the specific computer. The difference from domain groups: local groups work even if the domain controllers cannot be contacted.

You can change the AD Group’s Scope or Type. But there are several conditions:

  • You can convert Global Security Group to a Universal if the group is not part of another global group;
  • You can convert a local domain group into a universal one if another local domain group it is not added to the list of its members;
  • A universal group can be converted to a local domain group without any restrictions;
  • A universal group can be transformed into a global one if it does not contain another universal group as a member;

Default (Built-in) AD Domain Groups

When you create a new AD domain, several predefined (built-in) security groups with a DomainLocal scope are created. These predefined groups can be used to control access to shared resources and delegate specific administrative permissions on the domain level. Default AD groups are located in a special AD container Builtin.

active directory groups

Only user accounts can be added in these groups: you cannot default AD group to each other (group nesting), or add user-defined domain groups to them.

You can list the predefined AD group using PowerShell:

Get-ADGroup -SearchBase 'CN=Builtin,DC=theitbros,DC=com' -Filter * | Format-Table Name,GroupScope,GroupCategory,SID -AutoSize

active directory group

Administrators DomainLocal Security S-1-5-32-544

Users DomainLocal Security S-1-5-32-545

Guests DomainLocal Security S-1-5-32-546

Print Operators DomainLocal Security S-1-5-32-550

Backup Operators DomainLocal Security S-1-5-32-551

Replicator DomainLocal Security S-1-5-32-552

Remote Desktop Users DomainLocal Security S-1-5-32-555

Network Configuration Operators DomainLocal Security S-1-5-32-556

Performance Monitor Users DomainLocal Security S-1-5-32-558

Performance Log Users DomainLocal Security S-1-5-32-559

Distributed COM Users DomainLocal Security S-1-5-32-562

IIS_IUSRS DomainLocal Security S-1-5-32-568

Cryptographic Operators DomainLocal Security S-1-5-32-569

Event Log Readers DomainLocal Security S-1-5-32-573

Certificate Service DCOM Access DomainLocal Security S-1-5-32-574

RDS Remote Access Servers DomainLocal Security S-1-5-32-575

RDS Endpoint Servers DomainLocal Security S-1-5-32-576

RDS Management Servers DomainLocal Security S-1-5-32-577

Hyper-V Administrators DomainLocal Security S-1-5-32-578

Access Control Assistance Operators DomainLocal Security S-1-5-32-579

Remote Management Users DomainLocal Security S-1-5-32-580

Server Operators DomainLocal Security S-1-5-32-549

Account Operators DomainLocal Security S-1-5-32-548

Pre-Windows 2000 Compatible Access DomainLocal Security S-1-5-32-554

Incoming Forest Trust Builders DomainLocal Security S-1-5-32-557

Windows Authorization Access Group DomainLocal Security S-1-5-32-560

Terminal Server License Servers DomainLocal Security S-1-5-32-561

Please note that the built-in AD groups use a special SID format: S-1-5-32-xxx (xxx from 500 to 1000). For regular AD groups, the SID looks like this: S-1-5-21-yyy-zzz, where yyy is the domain identifier, zzz – Relative ID (RID).

READ ALSO  ADSI Edit: How to View and Change Active Directory Object Properties?

Creating a Group Using the ADUC snap-in

The easiest way to create a new group in the AD domain is to use the Active Directory Users and Computers graphical console. Go to the AD organizational unit in which you want to create the group, right click on it and select New > Group.

ad group types

Specify a unique group name, select the group type and scope, and click OK.

active directory group types

To add a user to the group, search for the group name in the Active Directory Users and Computers console and double-click on it. In the group properties window, click the Members tab and use the Add button to add users, computers, or other groups.

types of active directory

Note that when adding members to a group, searches are performed only for the following types of objects: Users, Groups, and Service Accounts. If you want to add an AD object to the security group (such as a computer or contact), click the Object Types, and check the options Contacts and Computers. Now you can select all types of Active Directory objects.

ad group type

You can also add a user to the group by right-clicking on it and selecting the item Add to a group. This is quite handy when you need to bulk add users to a group.

READ ALSO  The Processing of Group Policy Failed

groups in active directory

How to Create and Modify Active Directory Groups Using PowerShell?

To create Active Directory groups, use the PowerShell New-ADGroup cmdlet from the Active Directory for Windows PowerShell module. Install the module as described here and import module cmdlets to your PowerShell session:

Import-Module ActiveDirectory

The type of the Security or Distribution group is specified using the -GroupCategory argument. The scope of the group is specified using the–GroupScope parameter (valid values: DomainLocal, Global, or Universal).

To create a new global distribution group in the target OU, you can use the command:

New-ADGroup -Path "OU=Groups,OU=Brasil,DC=theitbros,DC=com" -Name "BrasilUsers" -GroupScope Global -GroupCategory Distribution

If you want to find all distribution groups in your domain, use the following cmdlet:

Get-ADGroup -Filter 'groupcategory -eq "Distribution"'

Using the following command, you can create a new security group:

New-ADGroup –Name RemoteAccessUsers  -GroupScope Universal -GroupCategory Security -Path "OU=Groups,OU=USA,DC=theitbros,DC=com"

You can change Active Directory group attributes using the Set-ADGroup cmdlet. For example, you want to add a description to the security group you have created earlier:

Set-ADGroup RemoteAccessUsers –Description “Users that can access corporate network over DirectAccess and VPN server”

Now you can add users to this group using Add-ADGroupMember cmdlet:

Add-ADGroupMember RemoteAccessUsers  -Members user1,user2,user3

To get all the information about the specified group, use the Get-ADGroup cmdlet:

get-adgroup 'domain admins’

active directory group type

DistinguishedName : CN=Domain Admins,CN=Users,DC=theitbros,DC=com

GroupCategory : Security

GroupScope : Global

Name : Domain Admins

ObjectClass : group

ObjectGUID : f04fbf5d-c917-43fb-9235-b214f6ea4156

SamAccountName : Domain Admins

SID : S-1-5-21-3243688314-1360023605-3291231821-512

You can list (export) members of the Active Directory group using the Get-ADGroupMember cmdlet.

Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.