The Active Directory groups are a collection of Active Directory objects. The group can include users, computers, other groups, and other AD objects. The administrator manages the group as a single object. In Windows, there are 7 types of groups: two domain group types with three scope in each and a local security group. In this article, we’ll talk about the different types of Active Directory groups, the differences between them, group scopes, and will show you how to create AD groups and manage them in several ways.
Types of Active Directory Groups
Active Directory groups can be used:
- To simplify the administration by assigning share (resource) permissions to a group rather than individual users. When you assign permissions to a group, all of its members have the same access to the resource;
- To delegate the control by assigning user rights to a group using Group Policies. In the future, you can add new members to the group who need the permissions granted by this group;
- To create email distribution lists.
There are two types of AD groups:
- Active Directory Security Groups. This type of group is used to provide access to resources (security principal). For example, you want to grant a specific group access to files on a network shared folder. To do this, you need to create a security group;
- Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users (recipients) in the group. This type of group cannot be used to provide access to domain resources, because they are not security enabled.
Note. You can assign an email attribute to the security group (by converting it to a mail-enable security group) and use it in mailing lists, but it is not recommended.
Technically, Distribution groups differ from Security Enabled groups by one bit in the groupType attribute. For a Security group, this attribute will contain the SECURITY_ENABLED bit.
There are three group scopes for each group type:
- Domain local. Used to manage access permissions to different domain resources (files and folders NTFS permissions, remote desktop access, providing Windows privileges, using in GPO security filtering, etc.) only in the domain where it was created. A local group cannot be used in other domains (however, a local group may include users from another domain). A local group can be contained in another local group, but it cannot be added to the global group;
- Global. This group type can be used to provide access to resources in another domain. In this group, you can add only accounts from the same domain in which the group was created. A global group can be added to other global and local groups;
- Universal. It is recommended to use it in large Active Directory forests. Using this group scope, you can define roles and manage resources that are distributed across multiple domains. If your network has many branches connected by WAN channels, it is desirable to use universal groups only for rarely changing groups. Because changing the universal group causes the Global Catalog to be replicated throughout the whole enterprise.
There are also local groups. These groups are created in the local Security Accounts Administrator (SAM) database on the specific computer. The difference from domain groups: local groups work even if the domain controllers cannot be contacted.
You can change the AD Group’s Scope or Type. But there are several conditions:
- You can convert Global Security Group to a Universal if the group is not part of another global group;
- You can convert a local domain group into a universal one if another local domain group is not added to the list of its members;
- A universal group can be converted to a local domain group without any restrictions;
- A universal group can be transformed into a global one if it does not contain another universal group as a member.
Default (Built-in) AD Domain Groups
When you create a new AD domain, several predefined (built-in) security groups with a DomainLocal scope are created. These predefined groups can be used to control access to shared resources and delegate specific administrative permissions on the domain level. Default AD groups are located in a special AD container Builtin.
Only user accounts can be added to these groups: you cannot add built-in AD group to each other (group nesting), or add user-defined domain groups to them.
You can list the predefined AD group using PowerShell:
Get-ADGroup -SearchBase 'CN=Builtin,DC=theitbros,DC=com' -Filter * | Format-Table Name,GroupScope,GroupCategory,SID -AutoSize
Administrators DomainLocal Security S-1-5-32-544
Users DomainLocal Security S-1-5-32-545
Guests DomainLocal Security S-1-5-32-546
Print Operators DomainLocal Security S-1-5-32-550
Backup Operators DomainLocal Security S-1-5-32-551
Replicator DomainLocal Security S-1-5-32-552
Remote Desktop Users DomainLocal Security S-1-5-32-555
Network Configuration Operators DomainLocal Security S-1-5-32-556
Performance Monitor Users DomainLocal Security S-1-5-32-558
Performance Log Users DomainLocal Security S-1-5-32-559
Distributed COM Users DomainLocal Security S-1-5-32-562
IIS_IUSRS DomainLocal Security S-1-5-32-568
Cryptographic Operators DomainLocal Security S-1-5-32-569
Event Log Readers DomainLocal Security S-1-5-32-573
Certificate Service DCOM Access DomainLocal Security S-1-5-32-574
RDS Remote Access Servers DomainLocal Security S-1-5-32-575
RDS Endpoint Servers DomainLocal Security S-1-5-32-576
RDS Management Servers DomainLocal Security S-1-5-32-577
Hyper-V Administrators DomainLocal Security S-1-5-32-578
Access Control Assistance Operators DomainLocal Security S-1-5-32-579
Remote Management Users DomainLocal Security S-1-5-32-580
Server Operators DomainLocal Security S-1-5-32-549
Account Operators DomainLocal Security S-1-5-32-548
Pre-Windows 2000 Compatible Access DomainLocal Security S-1-5-32-554
Incoming Forest Trust Builders DomainLocal Security S-1-5-32-557
Windows Authorization Access Group DomainLocal Security S-1-5-32-560
Terminal Server License Servers DomainLocal Security S-1-5-32-561
Please note that the built-in AD groups use a special SID format: S-1-5-32-xxx (xxx from 500 to 1000). For regular AD groups, the SID looks like this: S-1-5-21-yyy-zzz, where yyy is the domain identifier, zzz – Relative ID (RID).
Creating a Group Using the ADUC Snap-in
The easiest way to create a new group in the AD domain is to use the Active Directory Users and Computers graphical console. Go to the AD organizational unit in which you want to create the group, right-click on it, and select New > Group.
Specify a unique group name, select the group type and scope, and click OK.
To add a user to the group, search for the group name in the Active Directory Users and Computers console and double-click on it. In the group properties window, click the Members tab and use the Add button to add users, computers, or other groups.
Note that when adding members to a group, searches are performed only for the following types of objects: Users, Groups, and Service Accounts. If you want to add an AD object to the security group (such as a computer or contact), click the Object Types, and check the options Contacts and Computers. Now you can select all types of Active Directory objects.
You can also add a user to the group by right-clicking on it and selecting the item Add to a group. This is quite handy when you need to bulk add users to a group.
Note that on the Member tab, in the properties of any Active Directory user, its Primary Group is specified. Primary group ID was used to support the UNIX POSIX model to control access to resources. In Active Directory, the PrimaryGroupID attribute for a user must be the RID (relative identifier) of the group to which the user is to be associated. By default, all Active Directory users have a PrimaryGroupID of 513 (Domain User group).
Global or universal security groups can be specified as the primary group. This means you cannot specify a local domain or any distribution group as the primary group.
Not all resources support a primary-group-id setting. In most cases, you should not change the Primary Group attribute except in special cases related to POSIX applications and Mac clients.
How to Create and Modify Active Directory Groups Using PowerShell?
To create Active Directory groups, use the PowerShell New-ADGroup cmdlet from the Active Directory for Windows PowerShell module. Install the Active Directory PowerShell module and import module cmdlets to your PowerShell session:
The type of the Security or Distribution group is specified using the -GroupCategory argument. The scope of the group is specified using the –GroupScope parameter (valid values: DomainLocal, Global, or Universal).
To create a new global distribution group in the target OU, you can use the command:
New-ADGroup -Path "OU=Groups,OU=Brasil,DC=theitbros,DC=com" -Name "BrasilUsers" -GroupScope Global -GroupCategory Distribution
If you want to find all distribution groups in your domain, use the following cmdlet:
Get-ADGroup -Filter 'groupcategory -eq "Distribution"'
Using the following command, you can create a new security group:
New-ADGroup –Name RemoteAccessUsers -GroupScope Universal -GroupCategory Security -Path "OU=Groups,OU=USA,DC=theitbros,DC=com"
You can change Active Directory group attributes using the Set-ADGroup cmdlet. For example, you want to add a description to the security group you have created earlier:
Set-ADGroup RemoteAccessUsers –Description “Users that can access corporate network over DirectAccess and VPN server”
Now you can add users to this group using Add-ADGroupMember cmdlet:
Add-ADGroupMember RemoteAccessUsers -Members user1,user2,user3
To get all the information about the specified group, use the Get-ADGroup cmdlet:
get-adgroup 'domain admins’
DistinguishedName : CN=Domain Admins,CN=Users,DC=theitbros,DC=com
GroupCategory : Security
GroupScope : Global
Name : Domain Admins
ObjectClass : group
ObjectGUID : f04fbf5d-c917-43fb-9235-b214f6ea4156
SamAccountName : Domain Admins
SID : S-1-5-21-3243688314-1360023605-3291231821-512
You can calculate the total number of users in the group:
(Get-ADGroupMember -Identity 'Domain Admin').Count
You can list (export) members of the Active Directory group using the Get-ADGroupMember cmdlet.
To list the AD groups that the user account belongs to (including nested groups), run the command:
Get-ADUser jbrion -properties memberof | select memberof -expandproperty memberof
Sometimes the task arises to copy a user’s membership in a large number of AD groups. If the user is a member of a large number of groups, doing it manually is very tedious. To copy all security groups from one domain user and add them to another user account, use the following PowerShell script:
$SourceADUser= “j.brion" $TargetADUser=”b.semenov” $SourceADGroups = Get-ADPrincipalGroupMembership -Identity $SourceADUser Add-ADPrincipalGroupMembership -Identity $TargetADUser -MemberOf $SourceADGroups
Another useful example. Let’s try to find all AD groups containing *Admin* in the name, and display users who are members of these groups (to display only unique accounts, use the –uniq parameter):
Get-ADGroup -filter 'SamAccountName -like "*Admin*"' | Get-ADGroupMember -recursive|Select-Object -uniq
If the group includes users from other forests, the Get-ADGroupMember cmdlet will return an error:
Get-ADGroupMember : The specified directory service attribute or value does not exist
Hint. The Get-ADGroupMember cmdlet does not support cross-AD forest users.
If you want to get a Primary group ID, use the following PowerShell script:
$ADdomainSID = Get-ADDomain | Select-Object -ExpandProperty DomainSID | Select-Object -ExpandProperty Value Get-ADGroup -Identity $($ADdomainSID + "-" + $primaryGroupID)
In this article, you’ve learned about groups in Active Directory. We’ve covered group types and scope, how to create and manage groups using the ADUC GUI and Windows PowerShell Management Shell.