Create and Manage Active Directory Groups and OUs

Question 1

What is group nesting?

Answer 1

When a group is added as a member of another group.

Example: Global Groups into Universal Groups into Domain Local Groups

Question 2

What is Microsoft’s best practice in terms of AD Group structure?

Answer 2

The acronym AGUDLP can be used to remember Microsoft’s best practice structure

Accounts > Global Groups > Universal Groups > Domain Local Groups

Question 3

How do you convert groups in AD?

Answer 3

Within ADUC, navigate to a group’s Properties > General tab.

Under Group Scope, available options are displayed to convert to

Question 4

What are the membership restrictions, permissions that can be assigned, and available conversion options for Global Groups?

Answer 4

Membership:

• Accounts from the same domain as parent GG.
• GGs from the same domain as parent GG

Permissions can be assigned in any domain.

Can convert to Universal Groups only when GG is not a member of another GG.`

Question 5

What are the membership restrictions, permissions that can be assigned, and available conversion options for Universal Groups?

Answer 5

Membership:

• Accounts from any domain within the forest
• GGs from any domain within the forest
• UGs from any domain within the forest

Permissions can be assigned in any domain or forest.

Can be converted to a Domain Local Group or a GG. Can only convert to a GG if it is not a member of a UG.

Question 6

What are the membership restrictions, permissions that can be assigned, and available conversion options for Domain Local Groups?

Answer 6

Membership:

• Accounts from any domain
• GGs from any domain
• UGs from any domain
• DLGs from any domain

Permissions can be assigned only within the same domain as the parent DLG

Can be converted to UGs only if DLG doesn’t contain other DLGs

Question 7

How do you manage group membership using Group Policy?

Answer 7

Navigate to Group Policy Management > Domain > Default Domain Policy > right click, edit > Policies Windows Settings > Security Settings > Restricted Groups

This policy can be used to add members only to local groups.

Question 8

How do you enumerate group membership?

Answer 8

Enumeration (listing) of group members is done in PowerShell by typing:
Get-ADGroupMember

Question 9

How do you automate group membership management using PowerShell?

Answer 9

By using the New-ADUser, New-ADGroup, and Add-ADGroupMember cmdlets.

Question 10

What PowerShell command can be used to create a new AD User?

Answer 10

New-ADUser -Name “” -SamAccountName “ -Path “OU=,DC=,DC=COM”

Question 11

What PowerShell command can be used to create a new AD Group?

Answer 11

New-ADGroup -Name “” -SamAccountName -GroupCategory Security -GroupScope DomainLocal -Path “OU=,DC=,DC=COM

Question 12

What PowerShell command can be used to add members to a group?

Answer 12

Add-ADGroupMember ,,

Question 13

How do you delegate the creation and management of AD Groups and OUs?

Answer 13

Right click on OU > Delegate Control

Within the “Delegation of Control” wizard, on the Tasks to Delegate screen, different permissions can be assigned to groups/users.

Question 14

How do you create a new OU?

Answer 14

Within ADUC, right click on domain/OU > New > OU

Question 15

How do you create a new Group?

Answer 15

Within ADUC, right click on domain/OU > New > Group

Question 16

How do you delete OUs/Groups?

Answer 16

Right click on OU/Group > Delete

*Note: Protection from accidental deletion can be set to not allow the OU/Group to be deleted this way.

Question 17

How do you create an OU within PowerShell?

Answer 17

New-ADOrganizationalUnit -Name -Path “DC=,DC=COM”