The Active Directory groups are a collection of Active Directory objects. The group can include users, computers, other groups, and other AD objects. The administrator manages the group as a single object. In Windows, there are 7 types of groups: two domain group types with three scope in each and a local security group. In this article, we’ll talk about the different types of Active Directory groups, the differences between them, group scopes, and will show you how to create AD groups and manage them in several ways.
Types of Active Directory Groups
Active Directory groups can be used:
- To simplify the administration by assigning share (resource) permissions to a group rather than individual users. When you assign permissions to a group, all of its members have the same access to the resource;
- To delegate Active Directory administrative tasks by assigning permissions to a group. In the future, you can add new members to the group who need the permissions granted by this group;
- Link Group Policy objects (GPOs) to groups to apply custom settings by using Security Filtering or Group Policy Preferences Item-Level Targeting;
- To create email distribution lists.
There are two types of AD groups:
- Active Directory Security Groups. This type of group is used to provide access to resources (security principal). For example, you want to grant a specific group access to files on a network shared folder. To do this, you need to create a security group;
- Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users (recipients) in the group. This type of group cannot be used to provide access to domain resources, because they are not security enabled.
Note. You can assign an email attribute to the security group (by converting it to a mail-enable security group) and use it in mailing lists (but it is not recommended).
Technically, Distribution groups differ from Security Enabled groups by one bit in the groupType attribute. For a Security group, this attribute will contain the SECURITY_ENABLED bit.
There are three group scopes for each group type:
- Domain local. Used to manage access permissions to different domain resources (files and folders NTFS permissions, remote desktop access, providing Windows privileges, using in GPO security filtering, etc.) only in the domain where it was created. A local group cannot be used in other domains (however, a local group may include users from another domain). A local group can be contained in another local group, but it cannot be added to the global group;
- Global. This group type can be used to provide access to resources in another domain. In this group, you can add only accounts from the same domain in which the group was created. A global group can be added to other global and local groups;
- Universal. It is recommended to use it in large Active Directory forests. Using this group scope, you can define roles and manage resources that are distributed across multiple domains. If your network has many branches connected by WAN channels, it is desirable to use universal groups only for rarely changing groups. Because changing the universal group causes the Global Catalog to be replicated throughout the whole enterprise.
Hint. AD groups can be members of other groups. This is called nested groups. Nested groups are a useful way to manage in AD based on business roles and functions.
There are also local groups. These groups are created in the local Security Accounts Administrator (SAM) database on the specific computer. The difference from domain groups: local groups work even if the domain controllers cannot be contacted.
You can change the AD Group’s Scope or Type. But there are several conditions:
- You can convert Global Security Group to a Universal if the group is not part of another global group;
- You can convert a local domain group into a universal one if another local domain group is not added to the list of its members;
- A universal group can be converted to a local domain group without any restrictions;
- A universal group can be transformed into a global one if it does not contain another universal group as a member.
Default (Built-in) AD Domain Groups
When you create a new AD domain, several predefined (built-in) security groups with a DomainLocal scope are created. These predefined groups can be used to control access to shared resources and delegate specific administrative permissions on the domain level. Default AD groups are located in a special AD container Builtin.
Only user accounts can be added to these groups: you cannot add built-in AD group to each other (group nesting), or add user-defined domain groups to them.
You can list the predefined AD group using PowerShell:
Get-ADGroup -SearchBase 'CN=Builtin,DC=theitbros,DC=com' -Filter * | Format-Table Name,GroupScope,GroupCategory,SID -AutoSize
Administrators DomainLocal Security S-1-5-32-544
Users DomainLocal Security S-1-5-32-545
Guests DomainLocal Security S-1-5-32-546
Print Operators DomainLocal Security S-1-5-32-550
Backup Operators DomainLocal Security S-1-5-32-551
Replicator DomainLocal Security S-1-5-32-552
Remote Desktop Users DomainLocal Security S-1-5-32-555
Network Configuration Operators DomainLocal Security S-1-5-32-556
Performance Monitor Users DomainLocal Security S-1-5-32-558
Performance Log Users DomainLocal Security S-1-5-32-559
Distributed COM Users DomainLocal Security S-1-5-32-562
IIS_IUSRS DomainLocal Security S-1-5-32-568
Cryptographic Operators DomainLocal Security S-1-5-32-569
Event Log Readers DomainLocal Security S-1-5-32-573
Certificate Service DCOM Access DomainLocal Security S-1-5-32-574
RDS Remote Access Servers DomainLocal Security S-1-5-32-575
RDS Endpoint Servers DomainLocal Security S-1-5-32-576
RDS Management Servers DomainLocal Security S-1-5-32-577
Hyper-V Administrators DomainLocal Security S-1-5-32-578
Access Control Assistance Operators DomainLocal Security S-1-5-32-579
Remote Management Users DomainLocal Security S-1-5-32-580
Server Operators DomainLocal Security S-1-5-32-549
Account Operators DomainLocal Security S-1-5-32-548
Pre-Windows 2000 Compatible Access DomainLocal Security S-1-5-32-554
Incoming Forest Trust Builders DomainLocal Security S-1-5-32-557
Windows Authorization Access Group DomainLocal Security S-1-5-32-560
Terminal Server License Servers DomainLocal Security S-1-5-32-561
Please note that the built-in AD groups use a special SID format: S-1-5-32-xxx (xxx from 500 to 1000). For regular AD groups, the SID looks like this: S-1-5-21-yyy-zzz, where yyy is the domain identifier, zzz – Relative ID (RID).
Active Directory Group Naming Convention Best Practices
Group names in Active Directory domain should be descriptive, meaningful, and simple. Considering that sometimes all three conditions may seem impossible, you can compose group names according to the following rules:
- Use only English characters for group names;
- For the first letter of the group name, use the letter that indicates the group type (G, D, or U). You can find out the group type in the group properties in ADUC, but it is convenient to see the group type in the name;
- In the name of the global group, specify the name of the department for which you are creating this group. For example, Store, Marketing, Shop, Managers, etc,;
- In the domain local group name, specify the purpose of the group and the type of access permission (R/RW). Since domain local groups are used to set access permissions to various resources, this should be reflected in the group name.
Creating a Group Using the ADUC Snap-in
The easiest way to create a new group in the AD domain is to use the Active Directory Users and Computers graphical console. Go to the AD organizational unit in which you want to create the group, right-click on it, and select New > Group.
Specify a unique group name, select the group type and scope, and click OK.
To add a user to the group, search for the group name in the Active Directory Users and Computers console and double-click on it. In the group properties window, click the Members tab and use the Add button to add users, computers, or other groups.
Note that when adding members to a group, searches are performed only for the following types of objects: Users, Groups, and Service Accounts. If you want to add an AD object to the security group (such as a computer or contact), click the Object Types, and check the options Contacts and Computers. Now you can select all types of Active Directory objects.
You can also add a user to the group by right-clicking on it and selecting the item Add to a group. This is quite handy when you need to bulk add users to a group.
Note that on the Member tab, in the properties of any Active Directory user, its Primary Group is specified. Primary group ID was used to support the UNIX POSIX model to control access to resources. In Active Directory, the PrimaryGroupID attribute for a user must be the RID (relative identifier) of the group to which the user is to be associated. By default, all Active Directory users have a PrimaryGroupID of 513 (Domain User group).
Global or universal security groups can be specified as the primary group. This means you cannot specify a local domain or any distribution group as the primary group.
Not all resources support a primary-group-id setting. In most cases, you should not change the Primary Group attribute except in special cases related to POSIX applications and Mac clients.
You can also create new groups from the graphical Active Directory Administrative Center (dsac.exe). Right-click on the domain name or OU and select New > Group.
Fill in the following mandatory fields:
- Group name.
- Group Scope (Global/Domain local/Universal).
- Group type (Security/Distribution).
Here you can also set a description for the group, enable/disable the Protect from accidental deletion option, add users to the group, etc.
Click OK to create the group.
To remove a user from a group, search for the group by name using Global Search and open its properties. Go to the Members tab, select the user you want to remove and click the Remove button. Click OK to save your changes.
How to Create and Modify Active Directory Groups Using PowerShell?
To create Active Directory groups, use the PowerShell New-ADGroup cmdlet from the Active Directory for Windows PowerShell module. Install the Active Directory PowerShell module and import module cmdlets to your PowerShell session:
The type of the Security or Distribution group is specified using the -GroupCategory argument. The scope of the group is specified using the –GroupScope parameter (valid values: DomainLocal, Global, or Universal).
To create a new global distribution group in the target OU, you can use the command:
New-ADGroup -Path "OU=Groups,OU=Brasil,DC=theitbros,DC=com" -Name "BrasilUsers" -GroupScope Global -GroupCategory Distribution
If you want to find all distribution groups in your domain, use the following cmdlet:
Get-ADGroup -Filter 'groupcategory -eq "Distribution"'
Using the following command, you can create a new security group:
New-ADGroup –Name RemoteAccessUsers -GroupScope Universal -GroupCategory Security -Path "OU=Groups,OU=USA,DC=theitbros,DC=com"
You can change Active Directory group attributes using the Set-ADGroup cmdlet. For example, you want to add a description to the security group you have created earlier:
Set-ADGroup RemoteAccessUsers –Description “Users that can access corporate network over DirectAccess and VPN server”
Now you can add users to this group using Add-ADGroupMember cmdlet:
Add-ADGroupMember RemoteAccessUsers -Members user1,user2,user3
To remove a user from an AD group, use the Remove-ADGroupMember cmdlet:
Remove-ADGroupMember -Identity RemoteAccessUsers -Members user1, user2
Confirm the user membership removal by pressing Y > Enter.
To completely remove an Active Directory group, run:
Remove-ADGroup -Identity RemoteAccessUsers
When you delete a group, you will be prompted to confirm the deletion. To disable removal confirmation, add the Confirm parameter:
Remove-ADGroup -Identity RemoteAccessUsers –Confirm:$false
To get all the information about the specified group, use the Get-ADGroup cmdlet:
get-adgroup 'domain admins’
DistinguishedName : CN=Domain Admins,CN=Users,DC=theitbros,DC=com
GroupCategory : Security
GroupScope : Global
Name : Domain Admins
ObjectClass : group
ObjectGUID : f04fbf5d-c917-43fb-9235-b214f6ea4156
SamAccountName : Domain Admins
SID : S-1-5-21-3243688314-1360023605-3291231821-512
You can calculate the total number of users in the group:
(Get-ADGroupMember -Identity 'Domain Admin').Count
You can list (export) members of the Active Directory group using the Get-ADGroupMember cmdlet.
To list the AD groups that the user account belongs to (including nested groups), run the command:
Get-ADUser jbrion -properties memberof | select memberof -expandproperty memberof
Sometimes the task arises to copy a user’s membership in a large number of AD groups. If the user is a member of a large number of groups, doing it manually is very tedious. To copy all security groups from one domain user and add them to another user account, use the following PowerShell script:
$SourceADGroups = Get-ADPrincipalGroupMembership -Identity $SourceADUser
Add-ADPrincipalGroupMembership -Identity $TargetADUser -MemberOf $SourceADGroups
Another useful example. Let’s try to find all AD groups containing *Admin* in the name, and display users who are members of these groups (to display only unique accounts, use the –Unique parameter):
Get-ADGroup -filter 'SamAccountName -like "*Admin*"' | Get-ADGroupMember -recursive|Select-Object -Unique
If the group includes users from other forests, the Get-ADGroupMember cmdlet will return an error:
Get-ADGroupMember : The specified directory service attribute or value does not exist
Hint. The Get-ADGroupMember cmdlet does not support cross-AD forest users.
If you want to get a Primary group ID, use the following PowerShell script:
$ADdomainSID = Get-ADDomain | Select-Object -ExpandProperty DomainSID | Select-Object -ExpandProperty Value
Get-ADGroup -Identity $($ADdomainSID + "-" + $primaryGroupID)
Active Directory functional levels of Windows Server 2012 R2 and newer support Time-based group membership. This feature allows administrators to assign temporary group membership, which is expressed as a Time to Live (TTL) value. This value will be added to the Kerberos ticket. This is also called the expiring links feature.
You can add a user to a group temporarily using PowerShell. For example, you want to add a user to a security group for only 2 days to assign temporary permissions. Run the following PowerShell command:
Add-ADGroupMember -Identity g_CA_Sales -Members b.jackson -MemberTimeToLive (New-TimeSpan -Days 2)
After two days, the user account will be automatically removed from the group. To view the remaining time (in seconds) that a user will remain in a group, run:
Get-ADGroup g_CA_Sales -Property member -ShowMemberTimeToLive
In this article, you’ve learned about groups in Active Directory. We’ve covered group types and scope, how to create and manage groups using the ADUC GUI and Windows PowerShell Management Shell.