Serverspace Black Friday
DF
Daniil Fedorov
August 2, 2021
Updated May 25, 2023

How to Manage Groups in AD. Part 1: Creating and Deleting Groups.

AD Windows

In average AD forests, groups govern authorization to sensitive data. Groups can distribute content or help to give access to files, services or even AD delegation. After installation you will gain several built-in groups such as Domain Admins group or Account Operators.

The Active Directory Users and Computers (ADUC) and the Active Directory Administrative Center (ADAC) are programs that provide graphic UI to interact with groups and help to manage them. ADAC differs from ADUC in a way that it has PowerShell History this provides the ability to see the PowerShell cmdlets behind the GUI.

In order to manage groups, you have to sign in to a DC, a doman-joined server, or a device with the Remote Server Administration Tools (RSAT) installed.
Speaking about access level you need to have a domain admin account, the Account Operators account, or have rights to create groups in certain OU via delegation.

Group Scopes

There are three group scopes:

  • Global groups
  • Universal groups
  • Domain local groups

When deciding what group to create, you need to know what are the group types and how they differ. Global groups and universal groups can be nested into domain local groups and global groups can be nested into universal groups. Therefore, it is very popular that global groups are created for departments, universal groups for distribution groups, and domain local groups for access rights.

Group Types

There are two group types:

  • Distribution groups
  • Security groups

Distribution groups do not have a security identifier (SID) and, therefore, can't be used to allow access to resources, except for resources within Microsoft Exchange Server. On the opposite side security groups do have SIDs. It is possible to convert a distribution group into a security group, and vice versa.

How to Create a Group

There are several methods to create a group.

Creating a group with ADUC

Open ADUC (dsa.msc). Navigate to the OU or Container where you want to create the group. Rightclick the OU or Container where you want to create a new group in and select New-> Group.

How to Manage Groups in AD. Part 1: Creating and Deleting Groups.

In the New Object - Group screen, specify the following values:

  • Specify the Group Name.
  • Specify the Group scope or accept the default Global scope.
  • Specify the Group type or accept the default Security type.

Click OK to create the group.

Creating a Group with ADAC

Open ADAC (dsac.exe). Rightclick the domain name and select New->Group from the menu.

How to Manage Groups in AD. Part 1: Creating and Deleting Groups.

In the Create Group screen, specify the following values:

  • Specify the Group name
  • Specify the Group scope or accept the default Global scope.
  • Specify the Group type or accept the default Security type.

Click OK to create the group.

Creating a Group Using Command Prompt

Use the following cmd.exe command to create a group in AD:

dsadd.exe group "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local"

Creating a Group Using Windows PowerShell

Use the following PowerShell code:

Import-Module ActiveDirectory
New-ADGroup -GroupCategory Security -GroupScope Global -Name "ITGroup" -Path "OU=OfficeCorp,DC=office,DC=local" -SamAccountName "ITGroup

How to Delete a Group in AD

Here are several methods to do that.

Deleting a User Using ADAC

Open ADUC (dsa.msc). Perform these actions:

Navigate to the OU or container where the group that you intend to delete resides.

From the Action menu, select Find.... In the Name field, type in the name of the group you intend to delete, and then click Find Now. From the list of Search results, select the group.

How to Manage Groups in AD. Part 1: Creating and Deleting Groups.

 

Rightclick the group and select Delete from the list. Click Yes in confirmation window.

How to Manage Groups in AD. Part 1: Creating and Deleting Groups.

Deleting a Group with ADAC

Open the ADAC (dsac.exe). Perform one of these series of actions:

Navigate to the OU or container where the group that you intend to delete resides. From the main menu pane, under Global Search, type in the name of the group you intend to delete, and press Enter.

From the list of Global Search results, select the group. Right-click the group this time, select Delete from the list. Click Yes in the Delete confirmation popup window.

Deleting a Group Using Command Prompt

Use the following command to delete a group in Active Directory:

dsrm.exe "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local"

Type “y” for confirmation and press Enter.

How to Manage Groups in AD. Part 1: Creating and Deleting Groups.

Deleting a Group Using Windows PowerShell

Use the following PowerShell code:

Import-Module ActiveDirectory
Remove-ADObject -Identity "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local"

Type “y” for confirmation and press Enter.

Vote:
5 out of 5
Аverage rating : 5
Rated by: 2
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.