Types of Active Directory Groups – TheITBros (2023)

TheActive Directory Groupsis a collection of Active Directory objects. The group can include users, computers, other groups, and other AD objects. The administrator manages the group as a single object. In Windows, there are 7 types of groups: two types of domain groups with three fields in each, and a local security group. In this article, we'll talk about the different types of Active Directory groups, the differences between them, group fields, and show you how to create ad groups and manage them in different ways.

GTypes of groupings in Active Directory

Active Directory groups can be used:

• To simplify management by assigning share (resource) permissions to a group rather than individual users. When you assign permissions to a group, all its members have the same access to the resource.
• To delegate Active Directory management tasks by assigning permissions to a group. In the future, you can add new members to the group who need the permissions granted by this group.
• Linking Group Policy Objects(GPO) in groups to apply custom settings using Security Filtering or Group Policy Preferences Component-level targeting.
• To create email distribution lists.

There are two types of AD groups:

• Active Directory security groups. This group type is used to grant access to resources (security principal). For example, you want to assign permissions to a specific group to files in a shared network folder. To do this, you need to create a security group.
• Active Directory distribution groups. This group type is used to create email distribution lists (typically used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users (recipients) of the group. This group type cannot be used to provide access to domain resources because security is not enabled.

Note. You can assign an email attribute to the security group (making it an email-enabled security group) and use it in mailing lists (but it's not recommended).

Technically, distribution groups differ from security-enabled groups by one bit in thegroupTypeFeature. For a security group, this attribute will contain the SECURITY_ENABLED bit.

There are three group fields in Active Directory for each type of group:

• Local domain. It is used to manage access rights to different domain resources (files and folders, NTFS permissions, remote desktop access, provision of Windows privileges, use in GPO security filtering, etc.) only in the domain where it was created. A local group cannot be used in other domains (however, a local group can include users from another domain). A local group can be contained in another local group, but cannot be added to the global group.
• Global. This group type can be used to provide access to resources in another domain. In this group, you can only add accounts from the same domain in which the group was created. A global group can be added to other global and local groups.
• Worldwide. Recommended for use in large Active Directory forests. Using this team scope, you can define roles and manage resources that are spread across multiple domains. If your network has many branches connected to WAN channels, it is desirable to use global groups only for groups that change infrequently. Because changing the global group causes theWorld Directoryto beare reproducedthroughout the enterprise.

Trace. AD groups can be members of other groups. This is callednested groups. Nested groups are a useful way of managing in AD based on business roles and functions.

There are alsolocalgroups. These groups are created in the local Security Accounts Administrator (SAM) database on that computer. The difference from domain groups: local groups work even ifunable to communicate with an Active Directory domain controller.

You can change AD groupsField of applicationtheType. But there are several conditions:

• You can convert the Global Security Group to a Universal if the group is not part of another global group.
• You can convert a domain-local group to global if no other domain-local group is added to its member list.
• A global group can be converted to a domain local group without restrictions.
• A global group can be made global if it does not contain another global group as a member.

Note. You can alsomanage Privileged Groups in Active Directory.

Default (Built-in) AD Domain Groups

When you create a new AD domain, several predefined (built-in) security groups with DomainLocal scope are created. These predefined groups can be used to control access to shared resources and assign specific administrative permissions at the domain level. Default AD groups reside in a dedicated AD containerBuilt.

Only user accounts can be added to these groups: you cannot add a built-in AD group to them (group nesting) or add user-defined domain groups to them.

You can list the default ad group using PowerShell:

Get-ADGroup -SearchBase 'CN=Builtin,DC=theitbros,DC=com' -Filter * | Format-Table Name,GroupScope,GroupCategory,SID -AutoSize

Administrators DomainLocal Security S-1-5-32-544

Users DomainLocal Security S-1-5-32-545

Guests DomainLocal Security S-1-5-32-546

Print Operators DomainLocal Security S-1-5-32-550

Backup Operators DomainLocal Security S-1-5-32-551

(Video) 15 Active Directory Queries

Replicator DomainLocal Security S-1-5-32-552

Remote Desktop Users DomainLocal Security S-1-5-32-555

Network Configuration Managers DomainLocal Security S-1-5-32-556

DomainLocal Security Performance Monitor Users S-1-5-32-558

Performance Log Users DomainLocal Security S-1-5-32-559

See Also

Security: Getting to Know Windows LAPS for Active Directory - First LookManage emergency access to a bare metal machine using `az networkcloud cluster baremetalmachinekeyset` command for Azure Operator Nexus

Distributed Users COM DomainLocal Security S-1-5-32-562

IIS_IUSRS DomainLocal Security S-1-5-32-568

Cryptographic Operators DomainLocal Security S-1-5-32-569

DomainLocal Security Event Log Readers S-1-5-32-573

DCOM Certificate Service Access DomainLocal Security S-1-5-32-574

Remote Access Servers RDS DomainLocal Security S-1-5-32-575

RDS Endpoint Servers DomainLocal Security S-1-5-32-576

RDS Management Servers DomainLocal Security S-1-5-32-577

Hyper-V Administrators DomainLocal Security S-1-5-32-578

DomainLocal Security S-1-5-32-579 operators access control help

DomainLocal Security Remote Administration Users S-1-5-32-580

DomainLocal Security Servers S-1-5-32-549

Account Handlers DomainLocal Security S-1-5-32-548

Pre-Windows 2000 Compatible Access DomainLocal Security S-1-5-32-554

Inbox Forest Trust Builders DomainLocal Security S-1-5-32-557

Windows DomainLocal Security Authorization Access Group S-1-5-32-560

(Video) Join a VM to AD Domain

DomainLocal Security Terminal Server License Servers S-1-5-32-561

Note that built-in AD groups use a special SID format: S-1-5-32-xxx (xxx from 500 to 1000). For regular AD groups, the SID looks like this: S-1-5-21-yyyy-zzz, where yyyy is the Domain ID, zzz – Related Identifier (RID).

Active Directory Group Naming Convention Best Practices

Group names in the Active Directory domain should be descriptive, meaningful, and simple. Considering that sometimes all three conditions may seem impossible, you can compose group names according to the following rules:

• Use only English characters for group names.
• For the first letter of the group name, use the letter that indicates the type of group (G, D, or U). You can find out the group type in the group properties in ADUC, but it is convenient to see the group type in the name.
• In global group name, specify the name of the department for which you are creating this group. For example, Store, Marketing, Shop, Managers, etc.
• In domain local group name, specify the purpose of the group and the access permission type (R/RW). Since domain local groups are used to set access rights to various resources, this should be reflected in the group name.

Create an ad group using the ADUC plugin

The easiest way to create a new group in the AD domain is to use theActive Directory Users and Computers add-on. go toYOUR ADVERTISINGin which you want to create the group, right-click on it and selectYoung>Club.

Specify a unique group name, select the group type and scope, and click OK.

To add a user to the group, search for the group name in the Active Directory Users and Computers console and double-click it. In the group properties window, clickMemberstab and use itAdditionbutton to add users, computers or other groups.

Note that when adding members to a group, searches are only performed for the following types of objects: Users, Groups, and Service Accounts. If you want to add an AD object to the security group (such as a computer or a contact), click theObject typesand check the optionsContactsandComputers. You can now select all types of Active Directory objects.

You can also add a user to the group by right-clicking on it and selecting the itemAdd to a group. This is very convenient when you need to bulk add users to a group.

Note that on the Member tab, in the properties of any Active Directory user,Primary Groupis clarified.Primary group IDused to support the UNIX POSIX model of resource access control. In Active Directory, the PrimaryGroupID attribute for a user must be the RID (relative identifier) ​​of the group to which the user will be associated. By default, all Active Directory users have a PrimaryGroupID of 513 (domain user group).

Global or universal security groups can be specified as the primary group. This means that you cannot specify a local domain or any distribution group as the primary group.

Not all resources support a Primary Group ID setting. In most cases, you should not change the Primary Group attribute, except in special cases related to POSIX applications and Mac clients.

You can also create new groups from the graphical Active Directory Administration Center (dsac.exe). Right-click the domain name or OU and selectYoung>Club.

Fill in the following mandatory fields:

• Team name.
• Group scope (Global/Local domain/Global).
• Group Type (Security/Distribution).

Here you can also set a description for the group, enable/disable Protect from accidental deletion, add users to the group, etc.

Click OK to create the group.

To remove a user from a group, search for the group by name using Global Search and open its properties. go toMemberstab, select the user you want to remove and clickRemovebutton. Click OK to save your changes.

How to create and modify ad group using PowerShell?

To create Active Directory groups, use PowerShellNew-ADGroupcmdlet from the Active Directory module for Windows PowerShell. Install itActive Directory PowerShell moduleand enter module cmdlets in the PowerShell session:

Import-ActiveDirectory module

The type of Security or Distribution group is specified using the-Group categorydisagreement. The range of the group is specified using the–GroupScopeparameter (valid values: DomainLocal, Global, or Universal).

To create a new global distribution group in the target OU, you can use the command:

New-ADGroup -Διαδρομή "OR=Groups,OR=Brazil,DC=theitbros,DC=com" -Όνομα "BrazilUsers" -Global Scope Group -GroupCategory Distribution

If you want to find all distribution groups in your domain, use the following cmdlet:

Get-ADGroup -Filter 'groupcategory -eq "Distribution"'

Using the following command, you can create a new security group:

New-ADGroup –Name RemoteAccessUsers -GroupScope Universal -GroupCategory Security -Message "OR=Groups,OR=USA,DC=theitbros,DC=com"

You can change Active Directory group attributes using the Set-ADGroup cmdlet. For example, you want to add a description to the security group you created earlier:

Set-ADGroupRemoteAccessUsers – Description "Users who can access the corporate network via DirectAccess server and VPN"

You can now add users to this group usingAdd-ADGroupMembercmdlet:

Add-ADGroupMember RemoteAccessUsers -Members user1,user2,user3

To remove a user from an AD group, use the Remove-ADGroupMember cmdlet:

Remove-ADGroupMember -Identity RemoteAccessUsers -Members user1, user2

Confirm unsubscribing the user by pressing Y > Enter.

To completely remove an Active Directory group, run:

Remove-ADGroup -Identity RemoteAccessUsers

When you delete a group, you will be asked to confirm the deletion. To disable removal confirmation, add the Confirm parameter:

Remove-ADGroup -Identity RemoteAccessUsers –Confirm:$false

To get all the information about the specified group, use the Get-ADGroup cmdlet:

get-adgroup 'domain administrators'

DistinguishedName : CN=Domain Admins,CN=Users,DC=theitbros,DC=com

Group Category: Security

GroupScope : Global

(Video) Configuring OneLogin's RADIUS Server Interface

Name: Domain Admins

ObjectClass : group

ObjectGUID : f04fbf5d-c917-43fb-9235-b214f6ea4156

SamAccountName: Domain Administrators

SID : S-1-5-21-3243688314-1360023605-3291231821-512

You can calculate the total number of users in the group:

(Get-ADGroupMember -Identity 'Domain Admin').Number

You can list (extract) Active Directory group members using the Get-ADGroupMember cmdlet.

To list the AD groups that the user account belongs to (inclAD nested groups), run the command:

Get-ADUser jbrion -properties memberof | select memberof -expandproperty memberof

Sometimes a user's copy job occursparticipation in a large number of AD groups. If the user is a member of a large number of groups, doing this manually is very tedious. To copy all security groups from one domain user and add them to another user account, use the following PowerShell script:

$SourceADUser= “j.brion"$TargetADUser=”b.semenov”$SourceADGroups = Get-ADPrincipalGroupMembership -Identity $SourceADUserAdd-ADPrincipalGroupMembership -Ταυτότητα $TargetADUser -MemberOf$our

Another useful example. Let's try to find all adgroups that contain *Admin* in the name and display users who are members of those groups (to display only unique accounts, use -Uniqueparameter):

Get-ADGroup -filter 'SamAccountName -like "*Administrator*"' | Get-ADGroupMember -recursive|Select-Object -Unique

If the group includes users from other forests, the Get-ADGroupMember cmdlet will throw an error:

Get-ADGroupMember : The specified directory service attribute or value does not exist

Trace. The Get-ADGroupMember cmdlet does not support cross-AD forest users.

If you want to get a Primary group ID, use the following PowerShell script:

$ADdomainSID = Λήψη-ADDomain | Select-Object -ExpandProperty DomainSID | Select-Object -ExpandProperty ValueGet-ADGroup -Identity $($ADdomainSID + "-" + $primaryGroupID)

Active Directory Functional Layersof Windows Server 2012 R2 and later supportTime-based group subscription. This feature allows administrators to assign temporary group membership, which is expressed as a Time to Live (TTL) value. This value will be added to the Kerberos ticket. This is also called the expiring links feature.

You can add a user to a group temporarily using PowerShell. For example, you want to add a user to a security group for only 2 days to grant temporary permissions. Run the following PowerShell command:

Add-ADGroupMember -Identity g_CA_Sales -Members b.jackson -MemberTimeToLive (New-TimeSpan -Days 2)

After two days, the user account will be automatically removed from the group. To see the remaining time (in seconds) that a user will remain in a group, run:

Get-ADGroup g_CA_Sales -Property Member -ShowMemberTimeToLive

In this article, you learned about groups in Active Directory. We covered the types of groups in Active Directory and scope, how to create and manage groups using the ADUC GUI and the Windows PowerShell Management Shell.