11.12.2024

How to Manage Groups in AD. Part 2: Managing Members in a Group

In average AD forests, groups govern authorization to sensitive data. Groups can distribute content or help to give access to files, services or even AD delegation. After installation you will gain several built-in groups such as Domain Admins group or Account Operators.

The Active Directory Users and Computers (ADUC) and the Active Directory Administrative Center (ADAC) are programs that provide graphic UI to interact with groups and help to manage them. ADAC differs from ADUC in a way that it has PowerShell History this provides the ability to see the PowerShell cmdlets behind the GUI.

In order to manage groups, you have to sign in to a DC, a doman-joined server, or a device with the Remote Server Administration Tools (RSAT) installed.
Speaking about access level you need to have a domain admin account, the Account Operators account, or have rights to create groups in certain OU via delegation.

Managing Members of a Group

It is possible to manage group membership using several ways:

Managing Group Membership via ADUC

Adding a User to a Group

Open ADUC (dsa.msc). Go to the OU where the needed user resides. From the Action menu, select Find.... In the Name field, type in the name of the user that you want to add to a group, and then press Enter.

Rightclick the needed user object and select "Add to a group..." from the menu.

In the "Select Groups" window, type in the name of the needed group, otherwise, click the "Advanced" button to search for the needed group. Click "Check Names". Click OK to add the user to the group.

Removing a User from a Group

From the Action menu, select "Find...". In the "Name field", type in the name of the needed group and press Enter. Rightclick the group and select Properties. Switch to the "Members" tab. In the "Group Properties" window select a user that you need to remove and click Remove.

Click Yes in the confirmation window. Click OK and you are done.

Perform Group Membership changes via ADAC

Adding a User to a Group

To add a user to a group using the ADAC in the left navigation pane, switch to the Tree view. Go to the OU or container where the user resides. Use Global Search, to find the needed user. Type in the name of the user object in the search field, and then press Enter. From the list of Global Search results, rightclick the user object and select Add to group...

In the Select Groups window, type in the name of the group that you want to add the user account to. Click "Check Names". Click OK to finish user addition.

Removing a User from a Group

To remove a user from a group, go to the OU or container where the group resides. Under Global Search, type in the name of the group, and then press Enter. From the list of Global Search results, select the group. Rightclick it and select Properties from the list. In the left navigation pane, click Members, as shown in the following screenshot:

In the Members section select the needed user and click Remove and the user will be removed without any confirmation window.

Using Windows PowerShell

Use the following cmdlet to add a user to a group:

Import-Module ActiveDirectory

Add-ADGroupMember -Identity "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local" -Members "GSoul"
Use the following lines of PowerShell code to remove a user from a group in Active Directory:

Import-Module ActiveDirectory
Remove-ADGroupMember -Identity "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local" -Members "GSoul"

Type “y” to confirm your removal action.