0/1 Lessons

Course Introduction

• 1min

0 / 1 lessons complete

Getting Started with Active Directory Domain Services

• 52min

0 / 6 lessons complete

Introduction to Active Directory Users & Computers

• 1hr 27min

0 / 10 lessons complete

Adding a Second Domain Controller

• 1hr 31min

0 / 7 lessons complete

Active Directory Backups

• 1hr 24min

0 / 5 lessons complete

How to Administrate Active Directory with Windows PowerShell

• 1hr 58min

0 / 7 lessons complete

Administrating AD SS (Active Directory Sites and Services)

• 1hr 3min

0 / 5 lessons complete

Active Directory Trusts

• 54min

0 / 5 lessons complete

Modifying the Active Directory Schema

• 43min

0 / 3 lessons complete

Course Conclusion

• 2min

0 / 1 lessons complete

Understanding Groups and Memberships


Q&A (0)

Notes (0)

Resources (0)

Saving Progress...


There are no resources for this lesson.

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

Understanding Groups and Memberships in Active Directory

Active Directory groups and memberships are one of those things you MUST understand in order to administer Active Directory.

At a high level, Active Directory groups are collections of AD Objects. A group’s members can contain users, computers, other groups and more.

Let’s get started!

Create Group in ADUC

To create a group in Active Directory right-click on your desired OU and select New > Group:

The New Object - Group window will appear. 

Group Name

Now you need to specify the Group Name. This is the name that will be displayed for the group in Active Directory.

Group Name (pre-Windows 2000)

This will automatically populate the pre-windows 200 group name as well. As the name implies this name is compatible with older versions of Windows Server and is limited to 20 characters.

I am going to name my group “Test Group”

Group Type

There are two types of groups in Active Directory:

  • Security
  • Distribution


A security group in Active Directory is used to assign permissions to resources with Group Policy.


A distribution group in Active Directory is used to create email distribution lists.

We are going to use a Security group in this lesson.

Group Scope

For the group scope, we have three options:

  • Domain Local
  • Global
  • Universal

The scope generally only comes into play when you dealing with multiple domains and trusts. If you are in a single domain environment, nine times out of ten you are going to be fine picking a Global scope. We will still cover the differences here however.

The difference between these comes down to the possible members, memberships of the group, scope conversion (for example, can you change from Global to Universal) and grantable permissions.

If you want to see Microsoft’s documentation on this subject then it can be found here. I’m going to the simplest breakdown for you that I can below:

ScopePossible Membership ofGrant PermissionsScope ConversionPossible Members
Domain Local-Domain local groups-Within the same domain-To Universal (if no domain local members)-AD Accounts-Local groups-Global groups-Universal groups
^^ from the same domain, trusted domain, other forests and external domains.
Global-AD Accounts-Global groups
-Any domain in the same forest-Trusting domains and forests
-To Universal (if not a member of another global group)-AD Accounts-Other global groups
^^ from the same domain
Universal-Universal Groups
^^ Same Forest
-Domain Local groups-Local Groups (computer local not domain)
^^ Same forest or trusting forests
-Any domain in the same forest-Trusting domains and forests-To Domain Local (if not a member of other universal group)-To Global (if does not contain other Universal Group as a member)-AD Accounts-Global Groups-Universal Groups
^^ From any domain in the same forest

In our scenario, we are going to use Global because we are working in a single domain environment and we have no need to add users from other domains or forests.

Creating a group

Once you configued the settings, go ahead and click OK to create the group:

Now you should see the AD Group listed in the Active Directory OU that you created it:

Group Properties

Right-click the group and select Properties:

General Properties

From the General tab, you can convert the group or modify its general information. Click the Members tab.

Delete or add Group Members

Click the Members tab. From here you can see all of the members (if any) of this Active Directory group. Right now there are no members, so let’s add a member by clicking the Add button:

Now you can search for and add your desired user. I am going to use my user account which is “paul.hill”:

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

5 2 votes
Lesson Rating
Notify of
profile avatar
Newest Most Voted
Inline Feedbacks
View all comments

profile avatar
10 months ago

where is the link for rsat?

profile avatar
Ricardo P(@ricardop)
Reply to  jerry.ebanks
10 months ago