NIST's guidance for a Zero Trust Architecture

Active Directory Objects

Active Directory Group Object Management

What you will learn from this article:      

Active Directory is a directory service that organizations can use to organize their resources. The Active Directory network is comprised of elements called Active Directory objects. These objects represent resources that are a part of the network. There are several types of objects such as a user, computer, printer, and more. In this article, we will take a look at what an Active Directory Group object is, what are its properties, and how you can create, delete, and modify a group object.

What is an Active Directory Group Object?    

As the self-explanatory name suggests, this object is meant to represent a group. In AD, a group is an object which can contain a collection of users, or computers, or contacts, or even other groups as members. It simplifies the administrative burden.

For example, say in an organization 100 employees need to be given access to a printer, the system administrator, instead of assigning permission to each user (which will be time-consuming and hectic), can put them in a group and assign permission to the group.

Active Directory Group Types and Group Scopes 

Group Types  

Group type categorizes groups based on the type of task managed within the group. There are 2 types of groups in AD. They are the security group and distribution group. Security groups are created in order to control permissions for access to resources. Distribution groups are used for sending email messages to groups of users.

Group Scopes  

The group scope in AD defines the extent to which a group can be applied in a forest. Group scopes are of three types in AD.

Domain local – Groups with this scope have domain-wide access. These groups can have the following members: User and computer accounts, global groups, and universal groups from any domain. Domain local groups can be implemented in managing resources within a domain.

Global – This group can have these members: Accounts or global groups from the same domain as the parent global group. Global groups can be implemented in managing objects that undergo frequent changes, as changes made in global group objects are not replicated outside the domain. Hence replication traffic can be controlled.

Universal – Membership for this group is open to accounts, global groups, and other universal groups across the forest in which the universal group resides, and access will be granted to resources in trusted domains. Universal groups can be used in scenarios where users across multiple domains have to be consolidated within the same group.

Creating a Group Object    

  • Start -> Administrative Tools -> Active Directory Users and Computers console.
  • Right-click on the console tree.
  • From the menu that pops up, choose the option New.
  • On choosing the option New another menu pops with a list of objects; from that choose Group.
  • An Object Creation wizard appears as shown in the figure below, enter a name for the group and choose a scope type.
  • After you have configured, click OK.
  • On clicking OK, the object will be created and can be located on the ADUC console tree in its respective container.
Creating a new Group Object
Creating a new Group Object

Deleting a Group Object   

  • Open Active Directory Users and Computers and right-click on the object you intend to delete.
  • From the submenu that pops up, choose the option Delete.
  • The object will be deleted from the Active Directory and will no longer appear on the console tree.
Deleting a Group Object in Active Directory
Deleting a Group Object

 Modifying a Group Object 

  • Open Active Directory Users and Computers and right-click on the group object you intend to modify.
  • From the shortcut menu that pops up, choose the option Properties.
  • A Group Object Properties dialogue box appears with various tabs.
  • Navigate through the various tabs and make the necessary changes.
  • Click Apply and then OK.
  • The modifications will hence be made.
Modifying a Group Object in Active Directory
Modifying a Group Object

Mandatory Attributes of a Group Object 

Every object has a set of mandatory and optional attributes. The values for the mandatory attributes are a mandatory requirement for the successful creation of the object. For example, the mandatory attributes for a group object are groupType, cn, objectCategory, objectclass, and sAMAccountName; the cn and sAMAccountName attributes are unique across a domain and are used to uniquely identify the object across the domain.

To view the mandatory attributes of the group object:

  • Right-click on the group object in the ADUC console.
  • A dialogue box appears. From that, choose the Attribute Editor tab.
  • In the Attribute Editor tab, click on the Filter button.
  • On clicking on the filter button a submenu with list of attribute types pops up.
  • From the menu choose, Mandatory.
  • The mandatory attributes of group object cn, objectCategory, objectclass, SAMAccountName and their values are hence displayed.

The group object properties dialogue box can be used to make changes or add more property values to the group object. To open the group object properties dialogue box right click on the group object and choose “properties”. The various attributes are categorized under different tabs based on their functionalities.


People also read

AD Group object properties – Security tab

AD Group object properties

AD Group object properties – General tab

Related posts
Active Directory Objects

Active Directory User properties – General tab

Active Directory Objects

AD computer object security tab

Active Directory Objects

Active Directory Computer Objects Tabs

Active Directory Objects

Active Directory Computer Object Management

Leave a Reply

Your email address will not be published. Required fields are marked *