Windows Lesson 6 - Managing Groups


In this lesson we'll learn how to create and manage security groups in Active Directory.

Security Groups vs Organizational Units

The difference between Security Groups and Organizations Units can be confusing if you're new to Active Directory. Prior to Active Directory, in Windows NT 4 we didn't have OUs, we had a large unorganized list of users. We could put users into Groups and use those groups to assign permissions. For example you could create a group called Accounting then add all the accounting users to it and grant access to the group. This was nice because if a new person was hired in the accounting department you would put them in the Accounting group and they would be able to access anything they needed.

In Active Directory, Groups were renamed Security Groups, and Organizations Units were introduced. Organizational Units allowed us to organize our user accounts in a structure that looks like a folder hierarchy. The OU structure is not used for assigning permissions. It is used for organizing our user accounts in the Active Directory database. Each user account has path like a file on a disk, that path is made up of OU's. Mike Smith's path is the following: CN=Mike Smith,OU=Staff,OU=GotoHull Users,DC=gotohull,DC=com.

Security Groups are used to assign permissions to our resources. If you create a folder on a server and you only want your accounting department to access it you can use the Accounting security group to do this. OU membership has no impact on this level of security.

It is also worth mentioning that a user can be a member of multiple groups, but only one OU.

Group Types

In Windows NT there was one group type and it was used to assign permissions to resources on the network. When Active Directory was introduced with Windows 2000 there was a new type of group introduced. Distribution groups were added and can be used by email server software. The idea is you create a distribution group and each member of the group would get a copy of any email sent to the distribution group. A distribution can not be used to assign permissions to your network resources. The groups we knew from Windows NT were renamed to Security Groups. A security group can be used to assign permissions to resources on the network.

Why Use Security Groups?

We use groups to assign permissions to resources on the network. It is possible to assign permissions to individual accounts but it isn't considered best practice. It can increase the amount of administrative work required when people leave, are hired, or change departments. In the example below we can see when a new user is hired in the accounting department we need to grant access to each resource that user will need.

If we use groups instead, all we need to do is add the user to the Accounting group and they will be able to access all the needed resources.

Creating Security Groups

We manage our groups using "Active Directory Administrative Center". Select the OU in which we want to create the security group then hit the New link in the tasks area on the right. Then select Group to create a new group.

Give the group a name. During the group creation process you can set other attributes at the same time.

You can even choose members of the group during the creation of the group, or put the group itself nested in another group. Once you've set all the attributes you want you can hit Ok.

You can also user PowerShell to create a group using the New-ADGroup cmdlet. Using the command

New-ADGroup -Name "Sales" -GroupCategory Security -GroupScope Global -Path "OU=Security Groups,OU=GotoHull Users,DC=gotohull,DC=com"

A group named Sales will be created in the Security Groups OU. The path is available in Active Directory Administrative Center on the top win you have an OU selected. You can then verify the groups was created by typing the following command.

Get-ADGroup -SearchBase "OU=Security Groups,OU=GotoHull Users,DC=gotohull,dc=com" -Filter {GroupCategory -eq "Security"}

This will return a list of all groups in the Security Groups OU, and below we can see the command created the Sales group.

Adding Users to Groups

There are multiple ways to add users to a security group. You can do it from the group itself, or from the user account.

One way is to select a user in Active Directory Administrative Center and click the Add to group link in the tasks panel on the right side.

Type in the name of the group you want to add the user to, then click Check Name. If the name of the group becomes underlined you're good to go, click Ok. If not then it will give you a chance to correct the spelling or type in the correct name. Clicking Ok will add the user to the group. You can also select multiple users and add them to a group using this method.

You can also pull users into a group by opening the properties group by selecting the group and clicking properties on the right side.

Click on Members on the left side to scroll down to the Members section, alternatively you can scroll using the scroll bar on the right. Click the Add button in the Members section to add to the group.

Type in the username of the user you want to add to the group and click Check Names, you can enter multiple usernames here separated by a semicolon. When you click Check Names if you have everything right it will replace the user name with the display name and underline it. Clicking Ok will add the users to the group.

You can also add users to groups using PowerShell.

Add-ADGroupMember -Identity Accounting -Members lmellon

You can use the following command to verify.

Get-ADGroupMember -Identity Accounting

Group Scopes

The different scope types seen when creating a group differ in who can be a member and where they can be used. They are outlined below.

  • Domain Local

    • Can contain objects from any domain in your forest.

    • Can be used to assign permissions in it's domain only.

  • Global

    • Can contain objects from its domain only.

    • Can be used to assign permissions in any domain in your forest.

  • Universal

    • Can contain objects from any domain in your forest.

    • Can be used to assign permissions in any domain in your forest.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10