Active Directory Groups Types

A group in Active Directory is a collection of Active Directory objects. Users, computers, other groups, and AD objects can all be part of the group. The group is managed as a single item by the administrator. There are seven different types of groups in Windows: two domain group types, each with three scopes, and a local security group. In this post, we’ll go over the many types of Active Directory groups, their differences, group scopes, and how to build and manage AD groups in a variety of ways.

Active Directory Groups Types

You can utilise Active Directory groups in the following ways:

• By assigning share (resource) access to a group rather than individual individuals, management is simplified. When you give a group permissions, all of its members have the same level of access to the resource.
• 
  To delegate power by utilising Group Policies to assign user rights to a group. You can add new members to the group in the future if they require the permissions granted by this group.
• 
  To make a mailing list for emails.

There are two types of AD groups:

• Security Groups in Active Directory. This form of organisation is utilised to give people access to resources (security principal). You could want to provide a select group access to files on a network shared folder, for example. To do so, you’ll need to create an Active Directory Distribution Groups security group. 
• Email distribution lists are made with this type of organisation (usually used in Microsoft Exchange Server). An e-mail sent to such a group will be received by all of the group’s users (recipients). Because they lack security, this type of group cannot be utilised to grant access to domain resources.
  Note. It is possible to assign an email attribute to a security group and use it in mailing lists (by converting it to a mail-enable security group), but it is not encouraged.

Distribution groups differ from Security Enabled groups in the groupType field by one bit. This attribute contains the SECURITY ENABLED bit for a Security group.

Each group type has three different scopes:

• Local domain. Only in the domain where it was built, it was used to manage access permissions to various domain resources (NTFS permissions on files and folders, remote desktop access, providing Windows capabilities, employing in GPO security filtering, and so on). Other domains cannot use a local group (however, a local group may include users from another domain). A local group can be enclosed within another local group but not added to the global group;

• Global. This group type can be used to grant access to resources that are located in a different domain. You can only add accounts from the same domain that the group was formed in to this group. Other global and local groups can be added to a global group;
• Universal. It is suggested that big Active Directory forests use it. You can design responsibilities and manage resources that are dispersed across many domains using this group scope. If your network includes a lot of branches connected via WAN channels, you should only employ universal groups for groups that change occasionally. Because altering the universal group causes the Global Catalog to be reproduced across the whole organisation.

There are additional local organisations. These groups are formed in the computer’s local Security Accounts Administrator (SAM) database. Local groups differ from domain groups in that they work even if the domain controllers cannot be reached.

• If the Global Security Group is not part of another global group, you can convert it to a Universal.
• If another local domain group is not added to the list of its members, you can convert it to a universal domain group.
• There are no constraints on converting a universal group to a local domain group.
• If a universal group does not contain another universal group as a member, it can be turned into a global group.

AD Domain Groups by Default (Built-in)

Several predefined (built-in) security groups with a DomainLocal scope are generated when you create a new AD domain. On the domain level, these preset groups can be used to restrict access to shared resources and delegate certain administrative capabilities. Builtin has a unique AD container for default AD groups.

Only user accounts can be added to these groups: you cannot add built-in AD group to each other (group nesting), or add user-defined domain groups to them.

You can list the predefined AD group using PowerShell:

Get-ADGroup -SearchBase 'CN=Builtin,DC=solutionviews,DC=com' -Filter * | Format-Table Name,GroupScope,GroupCategory,SID -AutoSize

Administrators DomainLocal Security S-1-5-32-544

Users DomainLocal Security S-1-5-32-545

Guests DomainLocal Security S-1-5-32-546

Print Operators DomainLocal Security S-1-5-32-550

Backup Operators DomainLocal Security S-1-5-32-551

Replicator DomainLocal Security S-1-5-32-552

Remote Desktop Users DomainLocal Security S-1-5-32-555

Network Configuration Operators DomainLocal Security S-1-5-32-556

Performance Monitor Users DomainLocal Security S-1-5-32-558

Performance Log Users DomainLocal Security S-1-5-32-559

Distributed COM Users DomainLocal Security S-1-5-32-562

IIS_IUSRS DomainLocal Security S-1-5-32-568

Cryptographic Operators DomainLocal Security S-1-5-32-569

Event Log Readers DomainLocal Security S-1-5-32-573

Certificate Service DCOM Access DomainLocal Security S-1-5-32-574

RDS Remote Access Servers DomainLocal Security S-1-5-32-575

RDS Endpoint Servers DomainLocal Security S-1-5-32-576

RDS Management Servers DomainLocal Security S-1-5-32-577

Hyper-V Administrators DomainLocal Security S-1-5-32-578

Access Control Assistance Operators DomainLocal Security S-1-5-32-579

Remote Management Users DomainLocal Security S-1-5-32-580

Server Operators DomainLocal Security S-1-5-32-549

Account Operators DomainLocal Security S-1-5-32-548

Pre-Windows 2000 Compatible Access DomainLocal Security S-1-5-32-554

Incoming Forest Trust Builders DomainLocal Security S-1-5-32-557

Windows Authorization Access Group DomainLocal Security S-1-5-32-560

Terminal Server License Servers DomainLocal Security S-1-5-32-561

Please keep in mind that the built-in AD groups have a unique SID format: S-1-5-32-xxx (xxx from 500 to 1000). The SID for standard AD groups is S-1-5-21-yyy-zzz, where yyy is the domain identification and zzz is the relative ID (RID).

Putting Together a Group Putting the ADUC Snap-in to Work

Using the Active Directory Users and Computers graphical console is the simplest approach to create a new group in the AD domain. Select New > Group from the right-click menu of the AD organisational unit where you wish to create the group.

Specify a unique group name, select the group type and scope, and click OK.

To add a user to a group, go to the Active Directory Users and Computers console and double-click on the group name. Click the Members tab in the group properties box and use the Add button to add users, computers, or other groups.

When adding members to a group, only the following sorts of objects are searched for: Users, Groups, and Service Accounts. Click Object Types and tick the choices Contacts and Computers if you want to add an AD object to the security group (such as a computer or contact). You can now choose from a wide range of Active Directory items.

You can also add a user to a group by right-clicking on it and choosing Add to a group from the menu. This comes in handy when you need to add a large number of people to a group.

The Primary Group of any Active Directory user is configured on the Member tab, under the properties of any Active Directory user. The UNIX POSIX model was utilised to control access to resources, and the primary group ID was employed to support it. The RID (relative identification) of the group to which the user is to be assigned must be the PrimaryGroupID property for a user in Active Directory. The PrimaryGroupID of all Active Directory users is 513 by default (Domain User group).

The primary group might be defined as a global or universal security group. This means you can’t make the primary group a local domain or a distribution group.

A primary-group-id setting isn’t supported by all resources. Except in specific instances involving POSIX apps and Mac clients, you should not modify the Primary Group attribute in most cases.

How to Create and Modify Active Directory Groups Using PowerShell?

Use the PowerShell New-ADGroup cmdlet from the Active Directory for Windows PowerShell module to create Active Directory groups. Install the Active Directory PowerShell module and import the module cmdlets into your PowerShell session by following these steps:

Import-Module ActiveDirectory

The type of the Security or Distribution group is specified using the -GroupCategory argument. The scope of the group is specified using the –GroupScope parameter (valid values: DomainLocal, Global, or Universal).

To create a new global distribution group in the target OU, you can use the command

New-ADGroup -Path "OU=Groups,OU=Brasil,DC=solutionviews,DC=com" -Name "BrasilUsers" -GroupScope Global -GroupCategory Distribution

If you want to find all distribution groups in your domain, use the following cmdlet:

Get-ADGroup -Filter 'groupcategory -eq "Distribution"'

Using the following command, you can create a new security group:

New-ADGroup –Name RemoteAccessUsers  -GroupScope Universal -GroupCategory Security -Path "OU=Groups,OU=USA,DC=solutionviews,DC=com"

You can change Active Directory group attributes using the Set-ADGroup cmdlet. For example, you want to add a description to the security group you have created earlier:

Set-ADGroup RemoteAccessUsers –Description “Users that can access corporate network over DirectAccess and VPN server”

Now you can add users to this group using ADD-ADGroupMember cmdlet:

Add-ADGroupMember RemoteAccessUsers  -Members user1,user2,user3

To get all the information about the specified group, use the Get-ADGroup cmdlet:

get-adgroup 'domain admins’

DistinguishedName : CN=Domain Admins,CN=Users,DC=solutionviews,DC=com

GroupCategory : Security

GroupScope : Global

Name : Domain Admins

ObjectClass : group

ObjectGUID : f04fbf5d-c917-43fb-9235-b214f6ea4156

SamAccountName : Domain Admins

SID : S-1-5-21-3243688314-1360023605-3291231821-512

You can calculate the total number of users in the group:

(Get-ADGroupMember -Identity 'Domain Admin').Count

You can list (export) members of the Active Directory group using the Get-ADGroup cmdlet:

To list the AD groups that the user account belongs to (including nested groups), run the command:

Get-ADUser jbrion -properties memberof | select memberof -expandproperty memberof

Sometimes the task arises to copy a user’s membership in a large number of AD groups. If the user is a member of a large number of groups, doing it manually is very tedious. To copy all security groups from one domain user and add them to another user account, use the following PowerShell script:

$SourceADUser= “j.brion"

$TargetADUser=”b.semenov”

$SourceADGroups = Get-ADPrincipalGroupMembership -Identity $SourceADUser

Add-ADPrincipalGroupMembership -Identity $TargetADUser -MemberOf $SourceADGroups

Another useful example. Let’s try to find all AD groups containing *Admin* in the name, and display users who are members of these groups (to display only unique accounts, use the –uniq parameter):

Get-ADGroup -filter 'SamAccountName -like "*Admin*"' | Get-ADGroupMember -recursive|Select-Object -uniq

If the group includes users from other forests, the Get-ADGroupMember cmdlet will return an error:

Get-ADGroupMember : The specified directory service attribute or value does not exist

Hint. The Get-ADGroupMember cmdlet does not support cross-AD forest users.

If you want to get a Primary group ID, use the following PowerShell script:

$ADdomainSID = Get-ADDomain | Select-Object -ExpandProperty DomainSID | Select-Object -ExpandProperty Value

Get-ADGroup -Identity $($ADdomainSID + "-" + $primaryGroupID)