How to Manage Groups in AD. Part 1: Creating and Deleting Groups.
In average AD forests, groups govern authorization to sensitive data. Groups can distribute content or help to give access to files, services or even AD delegation. After installation you will gain several built-in groups such as Domain Admins group or Account Operators.
The Active Directory Users and Computers (ADUC) and the Active Directory Administrative Center (ADAC) are programs that provide graphic UI to interact with groups and help to manage them. ADAC differs from ADUC in a way that it has PowerShell History this provides the ability to see the PowerShell cmdlets behind the GUI.
In order to manage groups, you have to sign in to a DC, a doman-joined server, or a device with the Remote Server Administration Tools (RSAT) installed.
Speaking about access level you need to have a domain admin account, the Account Operators account, or have rights to create groups in certain OU via delegation.
Group Scopes
There are three group scopes:
- Global groups
- Universal groups
- Domain local groups
When deciding what group to create, you need to know what are the group types and how they differ. Global groups and universal groups can be nested into domain local groups and global groups can be nested into universal groups. Therefore, it is very popular that global groups are created for departments, universal groups for distribution groups, and domain local groups for access rights.
Group Types
There are two group types:
- Distribution groups
- Security groups
Distribution groups do not have a security identifier (SID) and, therefore, can't be used to allow access to resources, except for resources within Microsoft Exchange Server. On the opposite side security groups do have SIDs. It is possible to convert a distribution group into a security group, and vice versa.
How to Create a Group
There are several methods to create a group.
Creating a group with ADUC
Open ADUC (dsa.msc). Navigate to the OU or Container where you want to create the group. Rightclick the OU or Container where you want to create a new group in and select New-> Group.
In the New Object - Group screen, specify the following values:
- Specify the Group Name.
- Specify the Group scope or accept the default Global scope.
- Specify the Group type or accept the default Security type.
Click OK to create the group.
Creating a Group with ADAC
Open ADAC (dsac.exe). Rightclick the domain name and select New->Group from the menu.
In the Create Group screen, specify the following values:
- Specify the Group name
- Specify the Group scope or accept the default Global scope.
- Specify the Group type or accept the default Security type.
Click OK to create the group.
Creating a Group Using Command Prompt
Use the following cmd.exe command to create a group in AD:
dsadd.exe group "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local"
Creating a Group Using Windows PowerShell
Use the following PowerShell code:
Import-Module ActiveDirectory
New-ADGroup -GroupCategory Security -GroupScope Global -Name "ITGroup" -Path "OU=OfficeCorp,DC=office,DC=local" -SamAccountName "ITGroup
How to Delete a Group in AD
Here are several methods to do that.
Deleting a User Using ADAC
Open ADUC (dsa.msc). Perform these actions:
Navigate to the OU or container where the group that you intend to delete resides.
From the Action menu, select Find.... In the Name field, type in the name of the group you intend to delete, and then click Find Now. From the list of Search results, select the group.
Rightclick the group and select Delete from the list. Click Yes in confirmation window.
Deleting a Group with ADAC
Open the ADAC (dsac.exe). Perform one of these series of actions:
Navigate to the OU or container where the group that you intend to delete resides. From the main menu pane, under Global Search, type in the name of the group you intend to delete, and press Enter.
From the list of Global Search results, select the group. Right-click the group this time, select Delete from the list. Click Yes in the Delete confirmation popup window.
Deleting a Group Using Command Prompt
Use the following command to delete a group in Active Directory:
dsrm.exe "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local"
Type “y” for confirmation and press Enter.
Deleting a Group Using Windows PowerShell
Use the following PowerShell code:
Import-Module ActiveDirectory
Remove-ADObject -Identity "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local"
Type “y” for confirmation and press Enter.