Group creation and management

- [Instructor] Active Directory groups have been around since Active Directory in Windows Server 2000, and we can create them in many different ways, but one of the easiest ways is in Azure Active Directory users and computers. So I'm going to go to the users folder that you see here. There's already many different security groups that are here. I'm going to right click and choose to create a new one. All the ones that you see here so far have been created by default as part of Active Directory's installation, so I'm going to right click, choose new, choose group, and I'm given a couple of different options here. On the left hand side, you can see the group scope. Domain local would be if I just have a single domain that I would like to add the group to. Global would be if I'd like to add this to multiple different domains in a single forest. Universal would allow me to add nested groups. I can add one group inside of another if I'd like, if that makes things easier to manage, and it also works with multiple different forests when needed. So if you only have a single domain, it doesn't matter if you choose global or domain local, it's going to be the same thing, but if you have multiple domains, then the global one takes on a new meaning, meaning that you're going to be applying this to all the domains in that single forest. I'll just leave it as the default, since I only have the one domain, so it's only going to affect my domain local. Now, the group type is a little different. Security is the default. This is for adding security to various different resources, such as applications or shared files and folders. Distribution is all about email, and it's really not used anymore unless you have the Microsoft Exchange server on-premises, then it can integrate with Exchange on-premises if you want to create a distribution group that way, but most people have moved to Exchange Online, which is why it's not as important. So I'm going to call this one HR, so for instance, I'm going to put all my HR users into this group, and I'll click okay, and really, that's all there is to it. Now, I want to add some users into it, so if I click on members, I can click add, and here, I can go ahead and type in my users. Now, if I don't know my user names or I just don't remember, I can click advanced, and then I can choose find now, and it'll find all the different users, as well as it's showing groups in here as well. So I haven't created any users yet, so I'm going to create a user. I'll just write, click, choose new, user, and I'll call this person HR user, and then I'll give it the same login name, but without spaces. Now, it doesn't matter if you use capital letters or lowercase letters when you create the user, it only matters when you create the password, and I'm going to say, just for an example, that password never expires, but of course, it's not a good idea for production. I'll add in my password twice, click finish. Now I can go into my HR group, go to members, click add, and I'll type in HR user. Click okay, and now that user is a member of the HR group, but what can I do with it? Well, I'll give you an example. I'm going to open up File Explorer, go to this PC, go to my C Drive. Let's say that I'm going to create a special HR share that only HR users should be able to access. So I'll go to folder, and I'll just call this HR share, and I'm going to right click on HR share and go to properties, and when I do, I'm going to assign it to that HR group. So first, I'll go to sharing, advanced sharing, share the folder, and go to permissions. Now, you want to remove everyone, because that includes people who are not a member of your domain, so that would mean guests that connect to your network, and I just want to put in domain users. Now, I'm not assigning the share permission to the HR group users, and that's because you can lock this down in the security, and it will use whatever has the most secured or least privilege, so basically, that means that I'm sharing this with everybody with full access. I click okay, but then when I go to security, I go ahead and click add and type in the HR group, and I give them access. So now, whichever has the least privilege is going to take precedence over the other group, so for instance, if I put in security, domain users have full access, then only the domain users are going to have full access, plus whatever access has been inherited above, and if I go to sharing and I put in full access, it doesn't really matter, because it's going to use the security tab, since it's more secure. I could also do the opposite. I could give everybody or all domain users full security access and go in and lock down the permissions to just the HR group in the sharing tab. Either way, it will work for us. So I'll click close, and now, the HR group and anyone who has inherited anything from the parent folder, those people are going to have the access to this HR share folder. Now, there's multiple different ways to create shares. You could do it in Server Manager, you can do it with PowerShell, you can do it with command line, but that's just a quick way that you can assign groups to a resource, such as a shared folder. Now, let's take a look how to do the same thing with an Azure Entra ID. So I'm going to go back to the root level and go to users, and here, I can create a new user, and I'll call this user HR user two, because if we're synchronizing, we don't want to have the same name. Otherwise, it'll cause a problem or an error. And I can choose the main domain name if I have multiple different domains, which I do. I'll just choose the default. So here, you can see the nickname is giving it the same name, and it's grayed out, so you can't make a change there, and I'll make it the same for the display name. Now, I can auto-generate a password, which is what you see here, or I can go ahead and type in my own password, and I'll click review and create and then create. Since this is in Azure, I will still need to go in and buy a license for this user, which I'll have to renew every 30 days, and which happens automatically for us, but you're just going to get billed for it every 30 days. However, just for creating the user, you don't need to have that license. So now, I'm going to go back up a level, and I'm going to go to groups. Groups look a little different than they do in on-premises Active Directory. So I'm going to click on all groups, just so you can see all the groups in my list, and I'll create a new group. Once again, the default goes to the group type of security, but if I hit the dropdown, I also have the option for a Microsoft 365 group, and that's a different option than we had in on-premises Active Directory. And if you're wondering the difference, just go up to where it says group type, and you can see security groups give access to applications and resources, just like you would if you were going to do this on-premises, but of course, in the Azure Cloud. Microsoft 365 groups are used for collaboration, giving members access to a shared mailbox, calendar files, things like that, so it's a little bit like a distribution list, but it's for Exchange Online. I'm going to give the name HR group two, and you can also assign Entra roles to this group. Roles are different than in on-premises Active Directory. Roles can do many different things, such as giving certain users or groups with people who are members of those groups to be able to do administrative tasks, such as creating users, changing passwords, adding users to resources, things like that. I'm going to leave this as no because I just don't need it for this demonstration, but I would like to show you the membership type, so take a look. By default, the membership type is assigned. That means I'm going to manually assign the users into this group. I'm going to choose that first, and then go to where it says members, and I'm going to add in my brand-new HR user. There we go, and click select, and I should also assign an owner to this group as well, but I want to change this to a dynamic user, so a dynamic user's different. It's going to query the members based on their properties. So here, you can see there's a property that I can choose, and we can say, oh, let's say the city. So when you go into the user's account, you double click on the account, and you can see various different properties, and one of those properties is city. Now, there's the address, now, there's the phone number, the area code, things like that, so if I say that this particular person is living in Portland, then anybody with the value of Portland in city is going to dynamically or automatically be added into this group. There are multiple ways to create groups in Active Directory and Entra ID. After you choose on-premises AD, Entra ID hybrid, or Entra ID domain services, you can create the appropriate users and groups for your organization.