+49 30 3642803 0 | info@permsecure.com​

Creating and Renaming Active Directory Groups – Special Features

permSECURE - Active Directory Gruppen

IT departments in companies usually use the Active Directory directory service from Microsoft in their system landscape. User accounts, groups and other objects are stored and managed there.

This article goes into the specifics of group names and the various Active Directory attributes, such as “name”, “commonName” (“cn” for short) or “displayName”.

Inhalt

Initial Situation

If you create a group via the “Active Directory Users and Computers” console, the attributes “cn”, “name” and “samAccountName”, among others, are assigned. At this point, this behavior is already fundamentally different from user accounts. In the case of user accounts, the attribute “displayName” is also automatically assigned, which does not happen when groups are created.

permSECURE - AD Attribute
Overview of AD attributes for a group object

Especially when groups are also created via other tools that also assign the “displayName” attribute, confusion can arise among administrators. Since the “displayName” for a group object is not a mandatory attribute, you probably have groups with and without assigned “displayName” afterwards.

permSECURE - Shouting Man

Download our Whitepaper!

Deepen your knowledge with our whitepaper on NTFS Best Practices.

Creation of a Group with assigned "displayName"

If you want to create new groups with filled “displayName”, you have to fill in this attribute manually when using the “Active Directory Users and Computers” console after creation.

An alternative is to create the groups via PowerShell. Using PowerShell, the administrator has more flexibility and can automate the creation of groups using scripts if necessary.

The following command creates a group object and also assigns the attribute “displayName” during the creation:

permSECURE - PowerShell Befehl
PowerShell command to create a group incl. "displayName".

The result of the group plant looks like this:

permSECURE - Ergebnis PowerShell
Result of a group created via PowerShell

Depending on what kind of group is to be created, the switches “-GroupScope” and “-GroupCategory” can be adjusted. The following values can be used:

  • GroupScope
    • Global
    • Universal
    • Domain Local
  • GroupCategory
    • Security
    • Distribution


Additional attributes can also be assigned when creating a new group via PowerShell. You can find further information at https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adgroup?view=windowsserver2022-ps.

Are you looking for professional advice?

Do you need support in optimizing your file servers? Feel free to contact us!

permSECURE - Shouting Woman

Rename a Group

If a group needs to be renamed, the administrator again has several options. The best known way is again the use of the “Active Directory Users and Computers” console.

It should be noted that the attribute “displayName” is not changed if it is already assigned.

permSECURE - Attribute vor Umbenennung
Attributes of a group before renaming
permSECURE - Assistent zur Gruppenumbenennung
Group renaming assistant
permSECURE - Ergebnis nach Umbenennung
Result after renaming the group

As can be seen, only the attributes “cn”, “name” and “samAccountName” were adjusted during the renaming. The attribute “displayName” still contains the original value before the renaming. This attribute would now have to be manually adjusted again.

To avoid this problem, it is again recommended to rename the group via PowerShell. The following two commands are necessary for this:

permSECURE - Umbenennen über PowerShell
Renaming a group via PowerShell
permSECURE - Ergebnis nach Umbenennung PowerShell
Result after renaming the group via PowerShell

In this case, all desired Active Directory attributes are renamed as well and you have a consistent state across the different name attributes of Active Directory groups.

About the Author:

Christoph Schulze
Christoph Schulze is Senior Consultant at permSECURE. Since 2013 he has been designing and supporting file server projects and helping customers to optimize their permission concepts.