Groups in Active Directory (AD) bring together users and devices that share common permissions, and access rights for easy management and efficient administration. Read on to learn how to create one.
Steps to create a group in AD:
- Launch the computer which has AD DS installed, go to “Start” and choose “Administrative tools”.
- Choose the tile that reads “Active directory Users and Computers”.
- Click on “Users” > “New” > “Group”.
- In the New object window that has opened, enter the specifications of the group in appropriate fields:
- Group Name: Specify the name of the group
- Group Description: Type in a description on the purpose of the group.
- Group Scope: Global/Domain Local/Universal based on need.
- Group Type: Select security or distribution based on need.
-
Click “OK”.
Using Powershell : New-ADGroup Cmdlet
Cmdlets in Powershell are lightweight commands in the form of mini-scripts that are deployed to perform specific functions such as creating or modifying AD groups, files and more. Cmdlets are named based on nouns that describe their functions and one such example is the New-ADGroup cmdlet which is used to create a new group in AD.
Lets walk through an example to understand how the New-ADGroup cmdlet works.
Creating a new group and specifying its desired properties
New-ADGroup -Name "GrowthMarketingGroup" -GroupScope Global -GroupCategory Security -Description "This group is for growth marketing department." -DisplayName "Growth Marketing Group" -HomePage "https://xyzcompany.com/growthmarketing" -ManagedBy "CN=User,OU=Managers,DC=corp,DC=com" -SamAccountName "GrowthMarketingGroup" -Path "OU=Groups,DC=ManageEngine,DC=com" -PassThru:$true -AuthType Negotiate -Credential $credentials -WhatIf -Confirm
Creating a new group using the properties of an existing group
You can also use an existing group as a template when creating a new group. This ensures that the new group inherits the same properties as the template group, instead of manually entering them. The Get-ADGroup cmdlet is used to retrieve the attributes of the existing object and it is passed to the instance parameter of the New-ADGroup. Unwanted parameters from the existing group, if any, can be overridden.
# Retrieve an existing group object using Get-ADGroup
$existingGroup = Get-ADGroup -Identity "ExistingGroup"
# Override specific properties of the new group as needed
New-ADGroup -Name "NewGroup" -GroupScope Global -GroupCategory Security -stance $existingGroup
We see that New-ADGroup Cmdlet consists of parameters, which define the properties group to be created. A description of parameters used in the New-AD group cmdlet is summarised below.
|
Parameter Name |
Data Type |
Function |
Acceptable values |
|
-Whatif |
SwitchParameter |
Allows users to preview the actions a cmdlet would take without actually executing the cmdlet to identify any potential untinteded consequences. |
None |
|
-AuthType |
ADAuthType |
Defines the method of authentication |
Negotiate or Basic |
|
-Confirm |
SwitchParameter |
Prompts confirmation from the user before the script excecution |
None |
|
-Credential |
PSCredential |
Sets the user’s credentials for task execution. |
Username and Password, by creating a PSCredential object through the Get -Credential cmdlet |
|
-Description |
String |
Specifies information about the group to be created |
A string of phrase(s) or sentence(s) describing the purpose of the group in brief |
|
-DisplayName |
String |
States how the name of the group is displayed. |
Human-readable title of the group as a string |
|
-GroupCategory |
ADGroupCategory |
States the type of group |
Distribution or Security |
|
-GroupScope |
ADGroupScope |
Defines where the group can be applied and eligibility of objects under the group |
DomainLocal or Global or Universal
|
|
-HomePage |
String |
States the URL of the home page of the object |
Address link of the webpage as a string |
|
-Instance |
ADGroup |
To create a new group using properties from an existing group as a template. |
None |
|
-ManagedBy |
ADPrincipal |
States the user or group in charge of managing the new group created |
UPN /GUID of the user’s account or GUID of the group |
|
-Name |
String |
Defines the name of the group |
GUID of the group |
|
-OtherAttributes |
|||
|
-PassThrough |
SwitchParameter |
Returns the newly created group object |
True if the object needs to be returned and false otherwise |
|
-Path |
String |
Defines the location of the group by stating the Organizational Unit [OU] and under which it is placed. Domain is represented as several Domain Components [DC] |
OU= Name of OU DC= Name of sub domain 1 DC = Name of subdomain2 |
|
-SamAccountName |
String |
States the Security Account Manager (SAM) account name of the group. |
Name of SAM as a string |
Creating ad groups: PowerShell vs. Manual – which method to choose?
- Using the manual method is beneficial for users who are unfamiliar with PowerShell scripting. Their progress and results of their actions are instantly shown for confirmation and further navigation, making it user-friendly.
- However, when performing advanced tasks that involve managing multiple groups simultaneously, it becomes time-consuming and tedious.
- Using powershell, such tasks are automated making it fit for large-scale AD environments. Nevertheless, Only systems with the Active Directory Domain Services role installed, can execute PowerShell scripts.
- If further attributes need to be added, the script must be redone and If more than one group is to be formed, a new script will be required.
- Maintaining accuracy in parameters and syntax, debugging of large-scripts, can be challenging.
The limitations of powershell can be overcome by a web-based GUI console, AD Manager Plus, that can be used to create, configure and manage users and groups in bulk, just in few clicks.
Check out a more detailed explanation in our article here 👇
https://www.windows-active-directory.com/active-directory-groups.html
For more such articles on Windows Server Management, visit our website 👇
https://www.windows-active-directory.com
To stay updated about industry trends and Active Directory best practices, subscribe to our monthly newsletter 👇
https://www.manageengine.com/active-directory-360/iamroundup-newsletter.html
#groups #security #distribution #activedirectory