Creating and Renaming Active Directory Groups – Special Features
IT departments in companies usually use the Active Directory directory service from Microsoft in their system landscape. User accounts, groups and other objects are stored and managed there.
This article goes into the specifics of group names and the various Active Directory attributes, such as “name”, “commonName” (“cn” for short) or “displayName”.
Content
Initial Situation
If you create a group via the “Active Directory Users and Computers” console, the attributes “cn”, “name” and “samAccountName”, among others, are assigned. At this point, this behavior is already fundamentally different from user accounts. In the case of user accounts, the attribute “displayName” is also automatically assigned, which does not happen when groups are created.
Overview of AD attributes for a group object
Especially when groups are also created via other tools that also assign the “displayName” attribute, confusion can arise among administrators. Since the “displayName” for a group object is not a mandatory attribute, you probably have groups with and without assigned “displayName” afterwards.
Creation of a Group with assigned “displayName”
If you want to create new groups with filled “displayName”, you have to fill in this attribute manually when using the “Active Directory Users and Computers” console after creation.
An alternative is to create the groups via PowerShell. Using PowerShell, the administrator has more flexibility and can automate the creation of groups using scripts if necessary.
The following command creates a group object and also assigns the attribute “displayName” during the creation:
PowerShell command to create a group incl. “displayName”.
The result of the group plant looks like this:
Result of a group created via PowerShell
Depending on what kind of group is to be created, the switches “-GroupScope” and “-GroupCategory” can be adjusted. The following values can be used:
- GroupScope
- Global
- Universal
- Domain Local
- GroupCategory
- Security
- Distribution
Additional attributes can also be assigned when creating a new group via PowerShell. You can find further information at https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adgroup?view=windowsserver2022-ps.
Get in touch with us
Do you have any questions about our products or services? Do you need support?
We will be happy to help you!
Rename a Group
If a group needs to be renamed, the administrator again has several options. The best known way is again the use of the “Active Directory Users and Computers” console.
It should be noted that the attribute “displayName” is not changed if it is already assigned.
Attributes of a group before renaming
Group renaming assistant
Result after renaming the group
As can be seen, only the attributes “cn”, “name” and “samAccountName” were adjusted during the renaming. The attribute “displayName” still contains the original value before the renaming. This attribute would now have to be manually adjusted again.
To avoid this problem, it is again recommended to rename the group via PowerShell. The following two commands are necessary for this:
Renaming a group via PowerShell
Result after renaming the group via PowerShell
In this case, all desired Active Directory attributes are renamed as well and you have a consistent state across the different name attributes of Active Directory groups.
About the Author
Christoph Schulze is a Senior Consultant at permSECURE. He has been designing and supporting file server projects and helping customers to optimise their authorisation concepts since 2011.
Related Articles
-
Active Directory: Users locked or disabled – What is the Difference?
There are different states for Active Directory user objects. For example, one distinguishes between activated, locked or deactivated accounts. Often the question arises, what is actually the difference between a locked and a deactivated AD user account. In this article, we will go into the individual states of…