🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Active Directory

How to Get Security Groups in Active Directory

Active Directory security groups are the go-to solution for efficient network management and seamless resource access. However, without proper oversight of security groups' scopes and configurations, it can lead to security risks and privilege escalation, especially in cross-domain environments. This guide will show you how to easily find all security groups in Active Directory to maintain a secure and efficient IT environment.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

List Security Groups Using Saved Queries in Active Directory

Active Directory Permission Required
Domain Users Least Privilege
Administrators Most Privilege
  • Open Active Directory Users and Computers console.
  • In the left pane, right-click Saved Queries and select New»Query. Enter a suitable Name and Description for the query.
  • Set a Query Root to limit the search scope instead of the entire domain, and check the Include subcontainers box to search within its nested subcontainers as well .
  • Click Define Query and choose Custom Search from the Find drop-down.
  • Go to the Advanced tab and enter the following LDAP filter query.
  • Windows PowerShell Windows PowerShell 
     (&(objectCategory=Group)(groupType:1.2.840.113556.1.4.803:=2147483648))
  • Click OK in both dialog boxes to save the query.
    • The new query will appear under Saved Queries. Select it to display all security groups in Active Directory along with their corresponding scope and description.
List Security Groups Using Saved Queries in Active Directory
  • To download the list of security groups in Active Directory, right-click on the saved query name and select the Export List option

Find Security Groups Using Active Directory PowerShell

Active Directory Permission Required
Domain Users Least Privilege
Administrators Most Privilege
  • Ensure the Active Directory PowerShell module is installed on your machine.
  • Execute the following cmdlet to list all security groups in your Active Directory. 
  • Get-ADGroup -filter "GroupCategory -eq 'Security'" | 
 select Name, GroupScope , DistinguishedName, ObjectGUID | 
Format-Table
Find Security Groups Using Active Directory PowerShell
  • The execution will get all security groups in PowerShell along with their name, group scope, distinguished name, and object ID.
AdminDroid Active Directory Reporter

Effortlessly Monitor Security Groups in Active Directory with AdminDroid!

AdminDroid’s Active Directory reporting tool provides detailed reports on security groups, such as built-in, domain local, universal groups, and more. Admins can use these reports to monitor high-privilege security groups, detect unauthorized access, and maintain security.

Monitor Deleted Security Groups in AD to Restore Critical User Access

Find deleted security groups in Active Directory to minimize workflow disruptions and swiftly restore user access to shared drives, folders, and network resources.

Find Unmanaged Security Groups to Streamline Management

Use AdminDroid's advanced filters in the groups without manager report to identify managerless security groups and assign a manager to oversee these groups' management.

Track Global Security Groups for Streamlined Management

Regularly monitor global security groups to maintain consistent access at the domain level, control permissions, and ensure efficient management.

Monitor Security Group Members to Prevent Unauthorized Access

Track security group memberships using AdminDroid to detect unauthorized members and ensure that only authorized users have admin or elevated privileges.

Visualize Security Groups with AdminDroid's Group Dashboard

Easily view all security groups and track membership stats with the dedicated Active Directory groups dashboard to assess group sizes efficiently.

Protect AD Security Groups from Accidental Deletion

List all groups protected from accidental deletion and ensure key security groups are included to prevent unauthorized deletions in Active Directory.

In a nutshell, AdminDroid’s Active Directory management tool helps track security groups, spot changes, manage access, and enforce security controls. Additionally, it enhances your workflow by enabling direct management actions, such as group creation, deletion, modification, etc., to streamline AD administration.

Explore a full range of reporting options
Download Live Demo

Important Tips

Implement the principle of least privilege in Active Directory while assigning permissions to security groups to avoid unnecessary privileges.

Secure Administrators group in Active Directory by adding members only during build or disaster recovery scenarios and avoiding the inclusion of everyday user accounts.

Audit group type changes in AD to identify security groups switched to distribution groups, revoke unnecessary permissions, and prevent unauthorized modifications.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while exporting or managing security groups in Active Directory.

Error Get-ADGroup : Invalid value: 'Built-in security groups' specified for extended attribute: 'GroupCategory'.

The error occurs because an invalid value was entered for the GroupCategory parameter in Active Directory PowerShell as it only accepts valid values, such as "Security" or "Distribution".

Fix To retrieve security groups, the correct value for the GroupCategory parameter is "Security". Here’s the correct command: 
Get-ADGroup -Filter "GroupCategory -eq 'Security'"  | Select-Object Name, GroupCategory, DistinguishedName

Error The query filter is not a valid query string.

This issue occurs when the LDAP query defined in the saved query is invalid.

Fix To avoid this error, ensure the query is defined correctly as per the provided guidelines. Also, check for any extra spaces at the end when copying and pasting the query.

Error The name already exists. Please type a new name and click OK.

This error occurs when creating a saved query in ADUC with a name that already exists.

Fix To avoid this, use clear and unique names for saved queries.

Error Windows cannot delete object because: Cannot perform this operation on built-in accounts.

This issue occurs when attempting to delete a built-in security group in Active Directory.

Fix Built-in security groups cannot be deleted; only custom security groups can be removed. So, you can remove user’s permissions from the built-in groups.
Active Directory
Frequently Asked Questions

Discover All Security Groups to Optimize Active Directory Permissions

How to create a security group in Active Directory?
How to create bulk security groups in Active Directory?
How to delete security groups in Active Directory?
How to assign permissions to a security group in Active Directory?
What are the best practices for creating and managing security groups in Active Directory?

1. How to create a security group in Active Directory?

Security groups in Active Directory are collections of user accounts, computers , or other objects that help simplify permissions management. Assigning permissions to a group instead of individual users helps admins to efficiently control access to resources like files, applications, or shared folders. You can create security groups based on your organization's needs to streamline access management.

Create a security group in Active Directory

  • Open the Active Directory Users and Computers console.
  • Locate and right-click the organizational unit where you want to create the group.
  • Select New»Group from the context menu.
  • Enter a Group name and ensure it aligns with your naming conventions.
  • Choose the Group scope based on your needs
    • Domain Local: Grants permissions to resources within the same domain but can include members from any trusted domain.
    • Global: Grants access to resources within the same domain, across trusting domains, or forests, but includes members only from the same domain.
    • Universal: Provides access to resources across all domains in the same forest or trusting forests . It includes members such as user accounts, global groups, and other universal groups from any domain within the same forest.
  • Select the Group type as Security and click OK to create the group.
create-security-grp

Managing different types of security groups in Active Directory helps admins control permissions, enhance security, and improve efficiency. However, quickly identifying recently created groups simplifies tracking new assignments and access changes.

When native methods fall short, AdminDroid provides a clear, comprehensive report of all recently created security groups.

  • At a glance, the recently created security groups report shows event history with details like who created the group, creation time, group scope, members, and more.
  • With this, admins can promptly investigate unauthorized group creation, verify permissions, and monitor policy changes to enhance overall security management.
recently-created-groups-edited

2. How to create bulk security groups in Active Directory?

When an organization opens a new branch, admins need to create security groups for departments like HR, Finance, IT, Sales, Support, etc., to manage access to resources. Manually creating these groups is time-consuming and prone to errors. Bulk creation simplifies this process by ensuring consistency in naming, policies, & structure while saving time and reducing administrative effort.

Create bulk security groups using Active Directory PowerShell

  • Create a CSV file with the headers GroupName, OUPath, GroupScope, and GroupCategory, as shown below.
    csv-file-security-grps
  • Run the following PowerShell script to bulk create the multiple security groups based on the CSV file. 
    Import-Csv -Path "<FilePath>" | ForEach-Object { 
    $groupName = $_.GroupName 
     try { 
         New-ADGroup -Name $groupName -Path $_.OUPath -GroupScope $_.GroupScope -GroupCategory $_.GroupCategory -ErrorAction  Stop 
         Write-Host "Group '$groupName' created successfully!" -ForegroundColor Green 
       } 
     catch { 
         Write-Host "Failed to create group '$groupName': $($_.Exception.Message)" -ForegroundColor Red 
      } 
}

Make sure to replace <FilePath> with the actual CSV file’s path before executing this PowerShell snippet.

3. How to delete security groups in Active Directory?

Over time, organizations accumulate unused security groups created for temporary projects or specific tasks. Removing these groups helps maintain a clean Active Directory environment and reduces administrative overhead. Here’s how to remove such security groups in Active Directory.

Remove Active Directory security groups using ADUC

  • Navigate to the Active Directory Users and Computers console.
  • Right-click the security group you wish to remove and select Delete from the menu.
  • Click Yes and confirm the deletion when prompted.
delete-security-group

Delete security groups Using Active Directory PowerShell

Manually deleting such groups via the Active Directory GUI can be time-consuming, especially when handling multiple groups. Using PowerShell ensures quick removal and reduces administrative overhead.

Admins can run the following command to delete a security group efficiently after replacing <GroupName> with the group's SAM account name: 

Remove-ADGroup -Identity <GroupName>

By default, executing the above cmdlet prompts for confirmation before deletion. To skip the confirmation, append the -Confirm:$false flag to the cmdlet.

To remove multiple security groups, run the following cmdlet after replacing the group names. 

$groups = @("<GroupName1>", "<GroupName2>", "<GroupName3>")
$groups | ForEach-Object { Remove-ADGroup -Identity $_ -Confirm:$false }

For added convenience, instead of manually specifying each group, you can use a CSV file to streamline and simplify the deletion process.

Points to remember:

  • While you can safely delete custom security groups that you have created, built-in security groups cannot be deleted.
  • Before deleting, ensure the group is not actively assigned to critical resources to avoid unintended access issues.
  • Groups configured with "Protect object from accidental deletion" cannot be deleted in Active Directory. To remove this protection, disable it in the group’s Properties»Object tab in the ADUC console.

4. How to assign permissions to a security group in Active Directory?

Assigning permissions to a security group in Active Directory streamlines access management to control resource permissions for multiple users at once. This approach enhances security, simplifies administration, and ensures consistency in access control across the organization.

For example, imagine you have a shared folder named "ProjectDocs" on your network that should only be editable by project team members. Instead of assigning permissions to individual users, assign them to the security group to manage access on a larger scale.

Assign permissions to a security group in Active Directory

  • Navigate to the file, shared folder, or resource (e.g., ProjectDocs) you want to assign permissions to.
  • Right-click the resource and select Properties.
  • In the Properties window, click on the Security tab.
  • Click Edit, then Add. Type the name of the security group (e.g., Project_Team) and click Check Names to verify.
  • Click OK once the group is added.
  • Then, select the security group you've added from the list of users and groups.
  • Under Permissions, check the boxes for the desired permissions (e.g., Modify, Read, Full Control).
  • Finally, click Apply and then OK to save the changes.
permissions-for-a-folder

Note: For more granular control, click on Advanced Settings. Here, you can assign detailed permissions like Delete, Create files, and more to grant fine-grained control over the respective resource.

5. What are the best practices for creating and managing security groups in Active Directory?

Managing a combination of built-in and custom security groups can quickly become overwhelming for admins. A well-organized approach not only ensures a secure and efficient environment but also helps prevent unnecessary challenges. Here are the best practices to streamline security group management and minimize risks.

  • Adopt Clear Naming Conventions: Adopt clear and consistent naming conventions for security groups. This enhances manageability and makes it easier to identify group purposes, such as “Finance_ReadOnly” or “HR_Admins.”
  • Limit Permissions for Default Groups: Default security groups often come with predefined permissions, which can be overly permissive. Regularly review and modify these permissions to align with your organization's security policies and minimize unnecessary access.
  • Apply the Principle of Least Privilege: Assign permissions to security groups based only on what is necessary for a user's job function. This reduces the attack surface and prevents misuse of privileges.
  • Streamline Permissions with Group Nesting: Using group nesting simplifies permissions management and improves scalability by allowing hierarchical structures. However, use nesting with caution, as incorrectly assigning permissions to a single group can result in excessive unauthorized access.
  • Monitor Group Changes Regularly: Regularly monitor and audit changes to privileged security groups. For instance, unauthorized additions to an administrative group can signal a security breach.

By adopting these best practices, you minimize security risks, maintain compliance, and improve operational efficiency.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Active Directory
How to Get Security Groups in Active Directory
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo