How to Create Groups in Active Directory?

by | Oct 20, 2023 | Windows

create active directory group
Last Updated:
Creating groups in Active Directory (AD) is a foundational task for managing permissions, organizing users, and controlling access to network resources. This guide walks you through how to create and configure security or distribution groups using Active Directory Users and Computers (ADUC).

Step 1: Open Active Directory Users and Computers (ADUC)

  1. Click Start or press ⊞ Win.
  2. Go to Windows Administrative Tools.
  3. Select Active Directory Users and Computers.

Open Active Directory Users and ComputersNeed help launching ADUC? See full instructions here.

Step 2: Choose the Organizational Unit (OU)

  1. Right-click the target OU.
  2. Select New > Group.

Create group in selected OU

Step 3: Configure Group Properties

In the New Object – Group dialog box:

  • Group Name: Choose a consistent, descriptive name.
  • Group Scope:
    • Domain Local: For permissions within a single domain.
    • Global: For adding users across the same or trusted domains.
    • Universal: Best for forest-wide resources or multi-domain groups.
  • Group Type:
    • Security: Use to assign access permissions.
    • Distribution: Used for email distribution only.

New Object - Group dialog boxClick OK to create the group.

Step 4: Add Members to the Group

  1. Right-click the group and select Properties.
  2. Go to the Members tab.
  3. Click Add to include users or other groups.

Add members to AD group
User selection screen

Step 5: Assign Permissions to the Group

  1. Right-click a shared resource (folder, printer, etc.).
  2. Select Properties > Security tab.
  3. Add the group and configure access: Read, Write, or Full Control.

Security tab - group permissions
Permission settings

Best Practices for Group Management

  • Use naming conventions like HR_ReadOnly, IT_Admins.
  • Document the purpose and scope of each group.
  • Regularly audit group memberships and remove inactive accounts.
  • Apply Zero Trust Security principles when assigning permissions.

Frequently Asked Questions

What is the difference between a Security and a Distribution group?

A Security group is used to assign access to resources, while a Distribution group is used solely for sending emails to multiple users.

Can I change the group type after creation?

You can change from Distribution to Security, but not always the other way depending on scope and usage. It’s best to plan ahead.

Where should I create groups—in Users or an OU?

Always create groups within a dedicated Organizational Unit (OU) for easier delegation and structure.

Next: Add Users and Computers in Active Directory

Author: Waheed Burna — with over 15 years of experience in enterprise identity, access control, and infrastructure automation.

Related Articles

How to Install Windows Server 2022

How to Install Windows Server 2022

Windows Server 2022 is Microsoft’s latest long-term servicing channel (LTSC) release. It delivers multi-layered security, Azure hybrid integration,...