In Active Directory, access to network resources is granted to security principals, such as user accounts and computer accounts, and those permissions can change over time. To simplify access management and improve security, medium and large companies often use Active Directory security groups and distribution groups.
Group Types
- Security Groups: Can contain user and computer accounts as well as other groups; used for granting permissions
- Distribution Groups: Used to manage email distribution lists
Both security and distribution groups have unique SIDs and GUIDs.
If you’re not already familiar with AD groups and group management, please read the Active Directory Group Management Best Practice guide.
Getting the Syntax
To see the full syntax for creating groups:
Get-Command New-ADGroup –Syntax
Creating a Basic Group
The easiest way to create a group:
New-ADGroup "Group Name"
The system will ask you to specify the GroupScope parameter and then create a new group.
Default Values
This group will have default values:
- Created in the default LDAP container called “Users”
- Has the “Security” group type
- The Members, Member of, Description, Email and Notes fields will all be blank
Creating a Complete Group
Let’s create a security group called “Quality” in the “Production” OU:
New-ADGroup "Quality" `
-Path "OU=Production,DC=enterprise,dc=com" `
-GroupCategory Security `
-GroupScope Global `
-PassThru –Verbose
Parameters Explained
- -Path: Specifies the OU where the group will be created
- -GroupCategory: Security or Distribution
- -GroupScope: Global, DomainLocal, or Universal
- -PassThru: Returns the group object
- -Verbose: Shows detailed progress
Group Scopes
Global
- Can contain members from the same domain
- Can be granted permissions in any domain in the forest
- Most commonly used for organizing users
DomainLocal
- Can contain members from any domain
- Can only be granted permissions in the same domain
- Commonly used for assigning permissions to resources
Universal
- Can contain members from any domain
- Can be granted permissions in any domain
- Use sparingly as they’re stored in the Global Catalog
Creating Different Group Types
Universal Distribution Group
New-ADGroup "Marketing Distribution" `
-Path "OU=Groups,DC=enterprise,dc=com" `
-GroupCategory Distribution `
-GroupScope Universal `
-PassThru –Verbose
Deleting an AD Group
To delete an AD group, use the Remove-ADGroup cmdlet:
Remove-ADGroup -Identity Quality
You’ll be prompted to confirm the deletion of the group.
Best Practices
Group Management
- Use descriptive group names
- Document the purpose of each group
- Follow a naming convention
- Regularly audit group membership
- Remove unused groups
When to Use Each Group Scope
- Global: For organizing users with similar roles
- DomainLocal: For granting permissions to resources
- Universal: For cross-domain scenarios (use sparingly)