Chapter 3. Working with Active Directory Groups and Memberships
In the previous chapter, you learned about managing user and computer objects using PowerShell. Now let's discuss how to manage Active Directory groups and their memberships.
In this chapter, we will see how to perform the following operations in Active Directory using PowerShell cmdlets:
- Creating local, global, and universal security groups
- Searching and modifying group object information
- Adding group members, user and computer accounts to the security groups
- Listing members of a security group in Active Directory
- Removing user or computer accounts from groups
- Removing a groups from groups
- Deleting or removing the AD groups
To start with, let's recollect some basic concepts about Active Directory groups and their memberships.
What is a group? A group is a collection of different Active Directory objects such as user accounts, computer accounts, and groups. Active Directory groups are basically categorized into two types: Security groups and Distribution Lists/Groups (DL). A security group can be used to grant permissions to various resources in a network such as granting permissions to shares, New Technology File System (NTFS) permissions, printer permissions, and many more similar activities. DL is an e-mail-enabled group, using which information can be shared via e-mail to a group of people simultaneously. Security groups can be mail-enabled and used as a DL and vice versa.
Both of these groups are further characterized by a scope that identifies the extent to which the group is applied in a domain tree or forest. This means that the scope of a group determines whether it can have members from the same domain, different domains, or different forests. There are three types of scope available in Active Directory that apply to both of these groups. They are universal, global, and domain local.
Note
Note that, because distribution groups are used for e-mail and most importantly for Microsoft Exchange applications, we are limiting our discussion to security groups in this chapter. The approaches described in this article are applicable for distribution group as well. However, the PowerShell cmdlets provided by Microsoft Exchange application are more suitable to manage distribution groups. You may want to refer to group cmdlets mentioned on the TechNet page available at http://technet.microsoft.com/en-us/library/bb124233%28v=exchg.150%29.aspx.
In a Windows environment, Active Directory security groups play an important role. Using groups to delegate/grant permissions is very scalable compared to granting permissions to an individual user or computer account. Given these reasons, the number of group membership changes made in any organization on a day-to-day basis is very high. Since it is one of the tedious tasks every Windows system administrator has to perform on a daily basis, it is important to understand how to automate it to its maximum extent.