Unlocking the Power of Active Directory Groups: A Comprehensive Guide

Active Directory groups are essential tools for managing and organizing users, computers, and other resources within a Windows domain.

This article will provide an in-depth exploration of Active Directory (AD) groups, including their types, purposes, and best management practices. Whether you’re a seasoned IT professional or just beginning your journey with Active Directory, this guide will help you understand the nuances and leverage the full potential of AD groups.

Overview of Active Directory groups

Active Directory domain groups are logical containers that house users, computer accounts, and/or other groups. There are two types of groups: Security and Distribution. Let’s explore these groups and what differentiates them.

Types of AD groups

There are two types of Active Directory groups – Security and Distribution. These two types serve distinct purposes in AD. Understanding these sometimes nuanced differences is crucial. Let’s look at both.

Distribution groups

Distribution groups are primarily used for email distribution lists. They are designed to streamline the sending of emails to multiple recipients. The largest technical difference is that these groups can NOT be used to assign user rights to resources in AD. These groups can be domain local, global, or universal—more on that in the next section.

Security groups

Security groups are used to assign permissions to network resources – files, folders, shared drives, and printers. You can grant a specific group read/write access to a share and simultaneously assign another group read-only access to the same share.

As an example use case, you could create a security group for the finance department to manage specific filesystem shares housing the financial records and files in your enterprise.

AD security vs distribution groups

I want to highlight the core differences now before you create your groups; often you can’t change the type of a group after its creation.

• Permissions
  • Only security groups can be used to assign permissions to resources.
• Use
  • Security groups are used for managing access to resources, whereas distribution groups are used for email communication and distribution.

AD group scopes

In AD, group scopes define where and how a group can be used within the AD environment and the forest. Each of the three scopes below serves specific purposes – let’s go through them now.

Domain local groups

Domain local groups are used to assign permissions to resources within the same domain. They can not be used for resources in another domain in the forest. This local scope is ideal for managing access to local resources like shared printers or local file shares.

Domain local groups are NOT suitable for cross-domain or cross-forest resource management.

Universal groups

The Universal scope is used to assign permissions to resources across multiple domains in a single forest. These are ideal for larger organizations with a complex AD structure. These groups can include members from any domain in the forest, including other Universal groups.

These groups are replicated to the Global Catalog (GC); this can impact forest-wide replication performance in large environments.

Global groups

Use the Global scope to organize users who share similar access needs. These can be used to assign permissions to resources in any domain in the forest. These can only include users and other global groups in the same domain. These can also be assigned permissions to resources in any domain in the forest.

When you need to include members from multiple domains, do not use this scope type. Global groups are limited to members from the same domain. Changes in global group membership aren’t replicated to Global Catalog (GC) servers.

Here’s a detailed table describing the various Active Directory group types and their scopes:

Feature/Scenario	Universal Group	Global Group	Domain Local Group
Scope	Entire Forest	Single Domain	Single Domain
Membership Type	Users, Global Groups, Universal Groups	Users, Computers, and other Global Groups	Users, Computers, Global Groups, Universal Groups, Domain Local Groups
Group Nesting	Can contain Universal, Global, and other Universal Groups	Can contain only Global Groups	Can contain Users, Computers, Global Groups, Universal Groups, other Domain Local Groups
Replicated Across Domains	Yes	No	No
Permission Usage	Assign permissions in any domain	Assign permissions in the same domain only	Assign permissions within the domain they are created
GC Dependency	Yes (requires Global Catalog for Universal Group membership)	No	No
Replication Traffic Impact	High (due to replication across all domains)	Low	Low
Recommended Use Cases	Groups with members from multiple domains	Accounts and resources within the same domain	Local resource access within the same domain
Standard Usage	Large organizations with multiple domains	Small to medium-sized organizations or within specific domains	Assign permissions to resources in a specific domain

I hope this helps! Let me know if you have any further questions.

Use cases for AD group scopes

• When you want to assign permissions to resources limited to a single domain, use Domain Local Groups.
• When you need to assign permissions across multiple domains within your forest, use Universal Groups.
• When grouping users within the same domain for resources across the forest, use Global Groups.

Built-in Active Directory security groups

When the first domain controller is installed in a new domain, there are a few built-in default security groups that are created, like the Account Operators group. Each of these has a special purpose. Let me explain the main ones and what they are used for.

• Domain Admins
  • Members of this privileged group have full control over all domain resources. When a user in this group logs into a workstation, they have local Administrator rights automatically. Be sure to keep this group limited in membership as much as possible.
• Enterprise Admins
  • Members of this highly privileged group have full control over all domains in the forest. If you have an account in this group, you’ll be able to log into any workstation or server in any domain in the forest and have local Administrator rights. This group should be empty unless explicitly needed for a limited time.
• Schema Admins
  • Members of this group can modify the schema of Active Directory. This group should also be empty and only used temporarily for a specific purpose (upgrading your domain controllers or upgrading Microsoft Exchange Server, etc)
• Administrators
  • This group gives members administrator privileges on all domain controllers and computer objects in the domain. This group is privileged and used for tasks at the domain and server level.
• Account Operators
  • Members in this group can create, delete, and manage user accounts and groups, except privileged groups like Domain Admins.
• Backup Operators
  • Users in this group can backup and restore files on all computers in the domain. This group is often used as a service account for enterprise data protection software – this group affords the software to at least read every file (backup), regardless of NTFS and Share permissions set. So, be careful with the membership in this group, too.
• Server Operators
  • Members in this group can perform server-related tasks such as managing shared resources, starting and stopping services, and performing backup tasks. This group is often used in place of Domain Admins for a heightened security posture.

Creating AD groups

As an IT Pro, you’ve very likely created Active Directory groups. Let’s get a good refresher here – you may learn something you’ve never known.

Using Active Directory Users and Computers (ADUC)

Start by installing Active Directory Users and Computers (ADUC) on your local management PC. Then follow the instructions below:

• Use the Start Menu or the Start button to launch Active Directory Users and Computers.
• Navigate and click on the Organization Unit (OU) you want the group created in.
• Right-click the OU and choose New -> Group.
• In the ‘Group name:‘ field, enter the Display Name of the new group.
• Choose the Group scope and the Group type and click OK.

The new group is immediately displayed in the OU. I chose to create a Domain Local group – this will limit its effective use to this domain – reinders.local. I do have another child domain (corp.reinders.local), but I can’t use this group there.

Using PowerShell to create AD groups

Of course, you can use PowerShell to create one or many AD groups. Let me show you the ‘New-ADGroup’ cmdlet to create an additional group.

New-ADGroup -Name "Heroes Champions" -SamAccountName "HeroesChampions" -GroupCategory Security -GroupScope Global -Path "OU=Domain Groups,DC=reinders,DC=local" -Description "These members have access to the Heroes Champions share on the main file server"

Switch	Function
-Name	The Display Name of the group.
-SamAccountName	This is the “pre-Windows 2000” NetBIOS name for the group. This must be unique in the forest.
-GroupCategory	This is Security or Distribution.
-GroupScope	This is Domain Local, Global, or Universal.
-Path	This is the Distinguished Name (DN) of the Organization Unit (OU) ‘path’ in Active Directory. You essentially write the recursive OUs (if they are nested) with the ‘OU’ and then your domain name using ‘DC’ separating the domain name and .local or .com.
-Description	The description of your group. It would be very helpful to embellish this now so in the future other colleagues know exactly what the group is for. This aids a lot with troubleshooting (more on that soon).

Using AD security groups for access control

The core reason for using security groups is for access control. You want to restrict which users can access a specific resource. Let me go through an example of locking down a folder on a fileserver share.

On my ‘WS16-FS01-CORE‘ fileserver, there’s a share called ‘Shares.’ I created a new folder called ‘Financials.’ I want to restrict access to this folder to a security group for management and compliance purposes.

In ADUC, I am in the ‘Domain Groups‘ OU. I right-click on it and choose New -> Group. I enter all the pertinent info.

Please note – my verbose description is very useful when troubleshooting – when a helpdesk representative is working on a support ticket, they will know exactly what this security group is for and what it offers. If a user can’t access the folder, the rep will know they need to be a member of said group.

Best practices for Active Directory group management

There are some high-level best practices involved with AD Groups. I want to touch on a few of the most prevalent ones here.

1. Group Scope and Type – Choose the right scope when creating a group – you will not be able to change it after the fact – you’ll need to create a new group.
2. Naming Conventions – Try to adhere to an established company group naming convention. It will be far easier to administer/maintain and make it extra easy when performing troubleshooting duties. Knowing what groups have access to a resource will aid immensely.
3. Least Privilege Access -Be sure to grant the least amount of permissions necessary for users to do their jobs. Regularly review and update group memberships to ensure only authorized and active users have access.
4. Group Policy Management – Apply Group Policy Objects (GPOs) to security groups for consistent policy enforcement across users and computers.
5. Audits and Cleanup – Make sure you set a schedule for policies and procedures for running routine audits of group membership in your AD environments, including group deletion. This is a key factor related to network maintenance. 

Troubleshooting AD groups

What methods do you have when you need to troubleshoot AD Groups? Plenty.

1. You can use the ‘Get-ADGroupMember’ PowerShell cmdlet to list all the members of a particular group.
2. You can utilize the ‘-Recursive’ switch to also peer into groups within groups for improved efficiency.
3. Validate the correct Group Scope and Group Type is in use.

Thank you for reading this informative post on groups in Active Directory. Please leave a comment or question below.