How to Manage Users and Groups in Active Directory: A Complete Guide

Active Directory (AD) It is one of the essential tools for managing business environments in systems WindowsThis service allows you to centrally control users, groups, computers, and other network resources.

Understand how to manage users and groups in AD It's essential for any system administrator. From basic tasks like creating user accounts to advanced configuration using PowerShell or the command line, this guide covers everything you need to know for secure and efficient management.

Organizational structure in Active Directory

Before you start manipulating users or groups, you need to establish a Organizational Unit (OU) structureThese units act as logical containers that help organize and manage domain objects, such as user accounts, computers, or groups, in a hierarchical manner.

The UOs reflect the real organization of the company, whether by department, geographic location, or specific function. Thanks to them, more specific group policies can also be applied. In addition, it is possible delegate administration from an OU to a user or group, so that only certain administrators can manage that subset of resources. For more information about managing GPOs, see How to manage GPOs in PowerShell.

Types and scopes of groups in Active Directory

In AD there are several types of groups and scope definitions that determine how they can be used:

• Global Groups: They are typically used to group users who perform a similar function within an organization (such as a department).
• Domain Local Groups: They are used to assign permissions to resources within the domain.
• Universal Groups: They can group users and groups from any domain within the forest, ideal for multi-controller or multi-forest environments.

Apart from the scope, we must also distinguish between:

• Security groups: They allow you to assign permissions to resources and contain a SID (Security Identifier).
• Distribution groups: They do not have SIDs and are geared toward email distribution, typically in Exchange environments.

Creating and managing user accounts

User account management is one of the most common and critical tasks in AD. It can be performed through graphical tools such as Active Directory Users and Computers (ADUC) or AD Administration Center (ADAC), as well as via command line or PowerShell. To learn more about installing these tools, you can follow This guide on installing Active Directory Users and Computers on Windows 10.

To create a user account from the graphical interface:

1. Open the ADUC tool.
2. Select the appropriate UO.
3. Right click > New > User.
4. Complete the required fields such as name, password, and account settings.

Restrictions can also be set login, define allowed times, specific computers where you can log in, and even set up mobile profiles.

A useful function is the ability to copy an existing account, which speeds up the creation of multiple accounts with similar settings (group members, policies, schedules, etc.).

Modify user accounts

Modifying an existing account is easy through the graphical interface:

• Change name or password.
• Assign or remove groups.
• Set special permissions.
• Activate or deactivate accounts as needed.

From the command line, you can use tools like dsmod To change passwords, force the change at the next login (dsmod user <user_dn> -mustchpwd yes) or disable an account temporarily. For details on managing disks and other objects from the command line, see This complete guide on disk management in CMD.

To delete an account, you can use dsrm <user_dn>, it is important to know that when deleting an account, the associated permissions are lost since the new user, even if it has the same name, will have a different SID.

Join computers to the domain

For a computer to be part of a domain, it must:

1. Configure the network adapter to use the domain controller's DNS.
2. Establish connection to the domain's DNS server.
3. Verify connectivity by pinging the controller's FQDN.

Once this is done, simply go to System Configuration (Win + Pause), change the computer name properties, and add it to the domain. You'll be asked for credentials for an account with permissions, typically the domain administrator.

Managing Computer Accounts in AD

Computers are also objects within AD and can be created manually or automatically when a computer joins the domain. Like user accounts, they can be added to groups.

From the command line you can use:

• dsadd computer <computer_dn> to add a team.
• dsmod computer <computer_dn> -disabled yes/no to enable or disable.
• dsmod computer <computer_dn> -reset to reset a computer account.

Creating and managing groups

Groups are essential for managing permissions and policies. Creating them correctly improves security and reduces complexity.

Creating groups from ADUC or ADAC is simple: choose the name, scope (global, domain local, or universal), and type (security or distribution). For more details on how to integrate security and distribution groups, you can read The reason why local groups are not included in Windows 10.

Tools like dsadd group, dsmod group and PowerShell with New-ADGroup allow these tasks to be automated in larger environments.

Once created, you can:

• Add or remove members: users, computers or even other groups.
• Modify its type or scope, although with limitations in mixed domains.
• Assign permissions to shared resources, GPO policies, etc.

Manage group memberships

From the tab Member of You can see all the groups a user belongs to. This option is useful for auditing or verifying access.

Also, from a group, you can go to the section Members and add multiple users, teams, or subgroups using the right-click and the corresponding option. For example, you can use dsmod group -addmbr to add members in bulk.

In bulk, PowerShell and commands like dsmod group -addmbr allow you to add multiple members automatically.

Manage multiple objects simultaneously

At ADUC, you can select multiple users and apply common changes to all of them (for example, changing a description or adding them to a group). This reduces user creation and maintenance time in companies with high turnover or seasonal hiring.

Using the command line and PowerShell

For advanced administrators or in environments with hundreds of objects, PowerShell and command-line tools are essentialSome common actions include:

• dsquery: Search for objects (users, groups, computers, OUs, etc.).
• dsadd: Create objects.
• dsmod: Modify existing objects.
• dsrm: Delete objects from AD.

PowerShell, for its part, offers cmdlets such as:

• New-ADUser, Set-ADUser, Remove-ADUser
• Get-ADGroupMember, Add-ADGroupMember

One advantage of PowerShell is that allows you to record reusable scripts and view the command history when using the ADAC console. It also allows Remote management using RSAT from a client computer without having to directly access the domain controller.

Good practices and recommendations

When managing users and groups in AD, it is recommended to:

• Do not create more groups than necessary, to avoid overloading the authorization system.
• Use groups as the primary method of assigning permissions, rather than granting permissions directly to individual users.
• Create accounts template for new additions with standard configurations.
• Use descriptive and consistent names across accounts, groups, and organizational units.

Orderly and systematic management prevents security errors, improves performance, and reduces administrative burden. In this regard, it is worth exploring SYS files in Windows, which can provide more information on system administration.

Managing users and groups in Active Directory is not only a fundamental task, but also the foundation of a secure and well-organized infrastructure. From creating and deleting accounts to automating them with commands or scripts, having a clear plan and following good practices ensures a more efficient and robust IT environment.

Related article:

Five of the best iPad file management software for Windows computers

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.