Active Directory Basics

Step 6 — Create Security Groups

In this step, you will create security groups and assign users to them. Group membership is how access is granted in Active Directory.

This is one of the most important concepts in real-world AD environments.

How access actually works

In production, users are placed into groups, and groups are granted access to resources. Users should almost never be assigned permissions directly.

1. Create a Centralized _Groups OU

Unlike users and computers, groups are typically stored in a centralized location rather than inside branch OUs.

  1. Open Active Directory Users and Computers
  2. Right-click the domain root (e.g., lab.local)
  3. Select New → Organizational Unit
  4. Name the OU _Groups
  5. Ensure Protect container from accidental deletion is checked
  6. Select OK

2. Create the Helpdesk Group

  1. Right-click the _Groups OU
  2. Select New → Group
  3. Group name: Helpdesk
  4. Group scope: Global
  5. Group type: Security
  6. Select OK

3. Create Additional Groups

Repeat the same process to create the following global security groups:

  • Accounting
  • ITSupport

4. Verify Group Creation

  • Confirm all groups exist inside the _Groups OU
  • Open a group to verify scope and type

Why Global Security Groups?

Global security groups are commonly used to represent roles or departments, such as Helpdesk or Accounting.

These groups typically contain user accounts and are later nested into resource-specific groups.

5. Add Users to Groups (GUI)

Assign users to groups based on their role.

Add Alice Johnson to Helpdesk

  1. Open the Helpdesk group
  2. Select the Members tab
  3. Select Add
  4. Add user ajohnson
  5. Select OK

Add Remaining Users

  • Add bmartinez to Accounting
  • Add cwalker to ITSupport

6. Verify Group Membership

  • Open each group and confirm correct membership
  • Group membership changes take effect immediately

PowerShell Equivalent (Optional)

The same tasks can be completed using PowerShell.

$groupsOU = "OU=_Groups,DC=lab,DC=local"

New-ADGroup -Name "Helpdesk" -GroupScope Global -GroupCategory Security -Path $groupsOU
New-ADGroup -Name "Accounting" -GroupScope Global -GroupCategory Security -Path $groupsOU
New-ADGroup -Name "ITSupport" -GroupScope Global -GroupCategory Security -Path $groupsOU

Add-ADGroupMember -Identity "Helpdesk" -Members ajohnson
Add-ADGroupMember -Identity "Accounting" -Members bmartinez
Add-ADGroupMember -Identity "ITSupport" -Members cwalker

Important Notes

  • Users gain access through group membership
  • Groups are typically centralized, not branch-based
  • This structure supports clean scaling and delegation

Checkpoint

  • _Groups OU exists at the domain root
  • Three global security groups exist
  • Each user belongs to the correct group

If this looks correct, you’re ready to start joining computers to the domain.