How to Manage Groups in Active Directory: Create and Delete (Part 1)
In average AD forests, groups govern authorization to sensitive data. Groups can distribute content or help to give access to files, services or even AD delegation. After installation you will gain several built-in groups such as Domain Admins group or Account Operators.
The Active Directory Users and Computers (ADUC) and the Active Directory Administrative Center (ADAC) are programs that provide graphic UI to interact with groups and help to manage them. ADAC differs from ADUC in a way that it has PowerShell History this provides the ability to see the PowerShell cmdlets behind the GUI.
In order to manage groups, you have to sign in to a DC, a doman-joined server, or a device with the Remote Server Administration Tools (RSAT) installed.
Speaking about access level you need to have a domain admin account, the Account Operators account, or have rights to create groups in certain OU via delegation.
Group Scopes
There are three group scopes:
- Global groups
- Universal groups
- Domain local groups
When deciding what group to create, you need to know what are the group types and how they differ. Global groups and universal groups can be nested into domain local groups and global groups can be nested into universal groups. Therefore, it is very popular that global groups are created for departments, universal groups for distribution groups, and domain local groups for access rights.
Group Types
There are two group types:
- Distribution groups
- Security groups
Distribution groups do not have a security identifier (SID) and, therefore, can't be used to allow access to resources, except for resources within Microsoft Exchange Server. On the opposite side security groups do have SIDs. It is possible to convert a distribution group into a security group, and vice versa.
How to Create a Group
There are several methods to create a group.
Creating a group with ADUC
Open ADUC (dsa.msc). Navigate to the OU or Container where you want to create the group. Rightclick the OU or Container where you want to create a new group in and select New-> Group.
In the New Object - Group screen, specify the following values:
- Specify the Group Name.
- Specify the Group scope or accept the default Global scope.
- Specify the Group type or accept the default Security type.
Click OK to create the group.
Creating a Group with ADAC
Open ADAC (dsac.exe). Rightclick the domain name and select New->Group from the menu.
In the Create Group screen, specify the following values:
- Specify the Group name
- Specify the Group scope or accept the default Global scope.
- Specify the Group type or accept the default Security type.
Click OK to create the group.
Creating a Group Using Command Prompt
Use the following cmd.exe command to create a group in AD:
dsadd.exe group "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local"Creating a Group Using Windows PowerShell
Use the following PowerShell code:
Import-Module ActiveDirectoryNew-ADGroup -GroupCategory Security -GroupScope Global -Name "ITGroup" -Path "OU=OfficeCorp,DC=office,DC=local" -SamAccountName "ITGroupHow to Delete a Group in AD
Here are several methods to do that.
Deleting a User Using ADAC
Open ADUC (dsa.msc). Perform these actions:
Navigate to the OU or container where the group that you intend to delete resides.
From the Action menu, select Find.... In the Name field, type in the name of the group you intend to delete, and then click Find Now. From the list of Search results, select the group.
Rightclick the group and select Delete from the list. Click Yes in confirmation window.
Deleting a Group with ADAC
Open the ADAC (dsac.exe). Perform one of these series of actions:
Navigate to the OU or container where the group that you intend to delete resides. From the main menu pane, under Global Search, type in the name of the group you intend to delete, and press Enter.
From the list of Global Search results, select the group. Right-click the group this time, select Delete from the list. Click Yes in the Delete confirmation popup window.
Deleting a Group Using Command Prompt
Use the following command to delete a group in Active Directory:
dsrm.exe "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local"Type “y” for confirmation and press Enter.
Deleting a Group Using Windows PowerShell
Use the following PowerShell code:
Import-Module ActiveDirectoryRemove-ADObject -Identity "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local"Type “y” for confirmation and press Enter.
Conclusion
Managing groups in Active Directory is a fundamental task for administering access to resources within a domain. In this tutorial, you’ve learned how to create and delete groups using graphical tools like ADUC and ADAC, as well as command-line utilities like Command Prompt and PowerShell. You also explored the difference between group scopes (Global, Universal, Domain Local) and group types (Security, Distribution), which are essential for organizing users and assigning permissions effectively. Mastering these basics lays the groundwork for more advanced AD group management and access control strategies.
FAQ
- Q: What’s the difference between Security and Distribution groups in AD?
A: Security groups are used to assign permissions to resources and have a unique SID. Distribution groups are used primarily for email distribution lists and cannot be used to secure resources. - Q: Can I change a group from Distribution to Security after creation?
A: Yes, you can convert a distribution group into a security group and vice versa using ADUC or PowerShell. - Q: Do I need to be a domain admin to manage groups?
A: Not necessarily. You can use a delegated account with specific permissions to manage groups within a particular OU, but domain admins and account operators have full control. - Q: Which group scope should I choose—Global, Universal, or Domain Local?
A: It depends on your use case. Global groups are typically used for users within the same domain, Universal for multi-domain membership, and Domain Local for assigning permissions to resources. - Q: Can I manage AD groups from a non-Domain Controller?
A: Yes, if Remote Server Administration Tools (RSAT) are installed on your workstation and you have the required permissions.
700
300
700
300
700
300
700
300
