A group in Active Directory is a collection of Active Directory objects. Users, computers, other groups, and AD objects can all be part of the group. The group is managed as a single item by the administrator. There are seven different types of groups in Windows: two domain group types, each with three scopes, and a local security group. In this post, we’ll go over the many types of Active Directory groups, their differences, group scopes, and how to build and manage AD groups in a variety of ways.
Active Directory Groups Types
You can utilise Active Directory groups in the following ways:
- By assigning share (resource) access to a group rather than individual individuals, management is simplified. When you give a group permissions, all of its members have the same level of access to the resource.
To delegate power by utilising Group Policies to assign user rights to a group. You can add new members to the group in the future if they require the permissions granted by this group.
To make a mailing list for emails.
There are two types of AD groups:
- Security Groups in Active Directory. This form of organisation is utilised to give people access to resources (security principal). You could want to provide a select group access to files on a network shared folder, for example. To do so, you’ll need to create an Active Directory Distribution Groups security group.
- Email distribution lists are made with this type of organisation (usually used in Microsoft Exchange Server). An e-mail sent to such a group will be received by all of the group’s users (recipients). Because they lack security, this type of group cannot be utilised to grant access to domain resources.
Note. It is possible to assign an email attribute to a security group and use it in mailing lists (by converting it to a mail-enable security group), but it is not encouraged.
Distribution groups differ from Security Enabled groups in the groupType field by one bit. This attribute contains the SECURITY ENABLED bit for a Security group.
Each group type has three different scopes:
- Local domain. Only in the domain where it was built, it was used to manage access permissions to various domain resources (NTFS permissions on files and folders, remote desktop access, providing Windows capabilities, employing in GPO security filtering, and so on). Other domains cannot use a local group (however, a local group may include users from another domain). A local group can be enclosed within another local group but not added to the global group;
- Global. This group type can be used to grant access to resources that are located in a different domain. You can only add accounts from the same domain that the group was formed in to this group. Other global and local groups can be added to a global group;
- Universal. It is suggested that big Active Directory forests use it. You can design responsibilities and manage resources that are dispersed across many domains using this group scope. If your network includes a lot of branches connected via WAN channels, you should only employ universal groups for groups that change occasionally. Because altering the universal group causes the Global Catalog to be reproduced across the whole organisation.
There are additional local organisations. These groups are formed in the computer’s local Security Accounts Administrator (SAM) database. Local groups differ from domain groups in that they work even if the domain controllers cannot be reached.
- If the Global Security Group is not part of another global group, you can convert it to a Universal.
- If another local domain group is not added to the list of its members, you can convert it to a universal domain group.
- There are no constraints on converting a universal group to a local domain group.
- If a universal group does not contain another universal group as a member, it can be turned into a global group.
AD Domain Groups by Default (Built-in)
Several predefined (built-in) security groups with a DomainLocal scope are generated when you create a new AD domain. On the domain level, these preset groups can be used to restrict access to shared resources and delegate certain administrative capabilities. Builtin has a unique AD container for default AD groups.
Only user accounts can be added to these groups: you cannot add built-in AD group to each other (group nesting), or add user-defined domain groups to them.
You can list the predefined AD group using PowerShell:
Get-ADGroup -SearchBase 'CN=Builtin,DC=solutionviews,DC=com' -Filter * | Format-Table Name,GroupScope,GroupCategory,SID -AutoSize
Administrators DomainLocal Security S-1-5-32-544
Users DomainLocal Security S-1-5-32-545
Guests DomainLocal Security S-1-5-32-546
Print Operators DomainLocal Security S-1-5-32-550
Backup Operators DomainLocal Security S-1-5-32-551
Replicator DomainLocal Security S-1-5-32-552
Remote Desktop Users DomainLocal Security S-1-5-32-555
Network Configuration Operators DomainLocal Security S-1-5-32-556
Performance Monitor Users DomainLocal Security S-1-5-32-558
Performance Log Users DomainLocal Security S-1-5-32-559
Distributed COM Users DomainLocal Security S-1-5-32-562
IIS_IUSRS DomainLocal Security S-1-5-32-568
Cryptographic Operators DomainLocal Security S-1-5-32-569
Event Log Readers DomainLocal Security S-1-5-32-573
Certificate Service DCOM Access DomainLocal Security S-1-5-32-574
RDS Remote Access Servers DomainLocal Security S-1-5-32-575
RDS Endpoint Servers DomainLocal Security S-1-5-32-576
RDS Management Servers DomainLocal Security S-1-5-32-577
Hyper-V Administrators DomainLocal Security S-1-5-32-578
Access Control Assistance Operators DomainLocal Security S-1-5-32-579
Remote Management Users DomainLocal Security S-1-5-32-580
Server Operators DomainLocal Security S-1-5-32-549
Account Operators DomainLocal Security S-1-5-32-548
Pre-Windows 2000 Compatible Access DomainLocal Security S-1-5-32-554
Incoming Forest Trust Builders DomainLocal Security S-1-5-32-557
Windows Authorization Access Group DomainLocal Security S-1-5-32-560
Terminal Server License Servers DomainLocal Security S-1-5-32-561
Please keep in mind that the built-in AD groups have a unique SID format: S-1-5-32-xxx (xxx from 500 to 1000). The SID for standard AD groups is S-1-5-21-yyy-zzz, where yyy is the domain identification and zzz is the relative ID (RID).
Putting Together a Group Putting the ADUC Snap-in to Work
Using the Active Directory Users and Computers graphical console is the simplest approach to create a new group in the AD domain. Select New > Group from the right-click menu of the AD organisational unit where you wish to create the group.
Specify a unique group name, select the group type and scope, and click OK.
To add a user to a group, go to the Active Directory Users and Computers console and double-click on the group name. Click the Members tab in the group properties box and use the Add button to add users, computers, or other groups.
When adding members to a group, only the following sorts of objects are searched for: Users, Groups, and Service Accounts. Click Object Types and tick the choices Contacts and Computers if you want to add an AD object to the security group (such as a computer or contact). You can now choose from a wide range of Active Directory items.
You can also add a user to a group by right-clicking on it and choosing Add to a group from the menu. This comes in handy when you need to add a large number of people to a group.
The Primary Group of any Active Directory user is configured on the Member tab, under the properties of any Active Directory user. The UNIX POSIX model was utilised to control access to resources, and the primary group ID was employed to support it. The RID (relative identification) of the group to which the user is to be assigned must be the PrimaryGroupID property for a user in Active Directory. The PrimaryGroupID of all Active Directory users is 513 by default (Domain User group).
The primary group might be defined as a global or universal security group. This means you can’t make the primary group a local domain or a distribution group.
A primary-group-id setting isn’t supported by all resources. Except in specific instances involving POSIX apps and Mac clients, you should not modify the Primary Group attribute in most cases.
How to Create and Modify Active Directory Groups Using PowerShell?
Use the PowerShell New-ADGroup cmdlet from the Active Directory for Windows PowerShell module to create Active Directory groups. Install the Active Directory PowerShell module and import the module cmdlets into your PowerShell session by following these steps:
The type of the Security or Distribution group is specified using the -GroupCategory argument. The scope of the group is specified using the –GroupScope parameter (valid values: DomainLocal, Global, or Universal).
To create a new global distribution group in the target OU, you can use the command
New-ADGroup -Path "OU=Groups,OU=Brasil,DC=solutionviews,DC=com" -Name "BrasilUsers" -GroupScope Global -GroupCategory Distribution
If you want to find all distribution groups in your domain, use the following cmdlet:
Get-ADGroup -Filter 'groupcategory -eq "Distribution"'
Using the following command, you can create a new security group:
New-ADGroup –Name RemoteAccessUsers -GroupScope Universal -GroupCategory Security -Path "OU=Groups,OU=USA,DC=solutionviews,DC=com"
You can change Active Directory group attributes using the Set-ADGroup cmdlet. For example, you want to add a description to the security group you have created earlier:
Set-ADGroup RemoteAccessUsers –Description “Users that can access corporate network over DirectAccess and VPN server”
Now you can add users to this group using ADD-ADGroupMember cmdlet:
Add-ADGroupMember RemoteAccessUsers -Members user1,user2,user3
To get all the information about the specified group, use the Get-ADGroup cmdlet:
get-adgroup 'domain admins’
DistinguishedName : CN=Domain Admins,CN=Users,DC=solutionviews,DC=com
GroupCategory : Security
GroupScope : Global
Name : Domain Admins
ObjectClass : group
ObjectGUID : f04fbf5d-c917-43fb-9235-b214f6ea4156
SamAccountName : Domain Admins
SID : S-1-5-21-3243688314-1360023605-3291231821-512
You can calculate the total number of users in the group:
(Get-ADGroupMember -Identity 'Domain Admin').Count
You can list (export) members of the Active Directory group using the Get-ADGroup cmdlet:
To list the AD groups that the user account belongs to (including nested groups), run the command:
Get-ADUser jbrion -properties memberof | select memberof -expandproperty memberof
Sometimes the task arises to copy a user’s membership in a large number of AD groups. If the user is a member of a large number of groups, doing it manually is very tedious. To copy all security groups from one domain user and add them to another user account, use the following PowerShell script:
$SourceADUser= “j.brion" $TargetADUser=”b.semenov” $SourceADGroups = Get-ADPrincipalGroupMembership -Identity $SourceADUser Add-ADPrincipalGroupMembership -Identity $TargetADUser -MemberOf $SourceADGroups
Another useful example. Let’s try to find all AD groups containing *Admin* in the name, and display users who are members of these groups (to display only unique accounts, use the –uniq parameter):
Get-ADGroup -filter 'SamAccountName -like "*Admin*"' | Get-ADGroupMember -recursive|Select-Object -uniq
If the group includes users from other forests, the Get-ADGroupMember cmdlet will return an error:
Get-ADGroupMember : The specified directory service attribute or value does not exist
Hint. The Get-ADGroupMember cmdlet does not support cross-AD forest users.
If you want to get a Primary group ID, use the following PowerShell script:
$ADdomainSID = Get-ADDomain | Select-Object -ExpandProperty DomainSID | Select-Object -ExpandProperty Value Get-ADGroup -Identity $($ADdomainSID + "-" + $primaryGroupID)