1
00:00:00,420 --> 00:00:06,960
And the following lessons will talk about working with Active Directory groups and memberships in the

2
00:00:06,960 --> 00:00:14,040
previous lessons you have learnt about managing user and computer objects using power shell.

3
00:00:14,040 --> 00:00:19,500
Now let's discuss how to manage Active Directory groups and their memberships.

4
00:00:19,530 --> 00:00:23,940
We'll see how to perform the following operations inactive Active Directory.

5
00:00:23,940 --> 00:00:32,830
Use them power shall come on lads how to create local global and universal security groups searching

6
00:00:32,970 --> 00:00:36,630
and modifying group object information.

7
00:00:36,630 --> 00:00:46,410
Add in group members use and computer accounts to the security groups and how to list members of a security

8
00:00:46,410 --> 00:00:48,360
group in Active Directory.

9
00:00:48,360 --> 00:00:55,950
Remove any user or computer accounts from groups remove and a group from groups and how to delete and

10
00:00:55,950 --> 00:00:59,280
remove the ADA groups to start with.

11
00:00:59,280 --> 00:01:06,220
Let's recall some basic concepts about Active Directory groups and their memberships.

12
00:01:06,240 --> 00:01:14,190
What is group a group is a collection of different Active Directory objects such as user accounts computer

13
00:01:14,190 --> 00:01:21,960
accounts and groups of course Active Directory groups are basically categorized into two types.

14
00:01:22,080 --> 00:01:31,370
Security groups and distribution lists or groups abbreviation for routers deal respectfully.

15
00:01:31,550 --> 00:01:39,320
A security group can be used to grant permissions to various resources in a network such as granting

16
00:01:39,330 --> 00:01:48,570
permissions to shares NTFS permissions on new technology filesystem permissions printer permissions

17
00:01:48,660 --> 00:01:57,960
and many more similar activities distribution lists are email enabled groups using which information

18
00:01:57,960 --> 00:02:02,100
can be shared via email to group of people.

19
00:02:02,100 --> 00:02:12,210
Simultaneously security groups can be mail enabled and used as distribution lists and vice versa.

20
00:02:12,210 --> 00:02:20,130
Both of these groups are further characterized by a scope that identifies the extent to which the group

21
00:02:20,130 --> 00:02:23,430
is applied in a domain tree or forest.

22
00:02:23,430 --> 00:02:31,350
This means that the scope of a group determines whether it can have members from the same domain different

23
00:02:31,350 --> 00:02:34,140
domains or different forests.

24
00:02:34,140 --> 00:02:41,360
There are three types of scope available in Active Directory that apply to both of these groups.

25
00:02:41,400 --> 00:02:47,350
They are universal global and domain local groups.

26
00:02:47,350 --> 00:02:48,600
Sorry scopes.

27
00:02:48,600 --> 00:02:56,970
Please consider that because distribution groups are used for email and most importantly for Microsoft

28
00:02:56,970 --> 00:02:58,770
to exchange applications.

29
00:02:58,890 --> 00:03:02,190
We won't discuss it so much.

30
00:03:02,310 --> 00:03:07,630
We will limit our discussion to security groups in this lessons.

31
00:03:07,800 --> 00:03:15,690
And as you may know in a Windows environment Active Directory security groups play an important role

32
00:03:15,960 --> 00:03:24,960
using groups to delegates grant permissions is very scalable compared to granting permissions to an

33
00:03:25,020 --> 00:03:28,070
individual user or computer account.

34
00:03:28,080 --> 00:03:36,090
That's why it is very important for Windows system administrator to understand how to automate it to

35
00:03:36,090 --> 00:03:43,530
its maximum extent the usage of the group's security groups in Windows environment.

36
00:03:43,530 --> 00:03:47,880
So let's start with creating different types of security groups.

37
00:03:47,970 --> 00:03:54,210
As I have mentioned there are different types of security groups available in Active Directory such

38
00:03:54,210 --> 00:04:00,310
as global domain local and universal to create a new group an Active Directory.

39
00:04:00,450 --> 00:04:07,620
They're new there's a group command led can be used this command let accepts three parameters.

40
00:04:07,620 --> 00:04:09,510
These are the name of the group.

41
00:04:09,630 --> 00:04:19,530
The organizational unit path in Ada and groups code such as domain local global or universal name and

42
00:04:19,620 --> 00:04:23,140
group scope need to be provided mandatorily.

43
00:04:23,190 --> 00:04:32,510
So let's review some simple command line examples to create a new blank a group in a DB is no members

44
00:04:32,510 --> 00:04:33,220
in it.

45
00:04:33,330 --> 00:04:41,400
The following command creates a new active directory group of type domain local and specified Oh you

46
00:04:41,700 --> 00:04:47,760
will do that with new dash Ada Group Command glad we can give it a name.

47
00:04:47,760 --> 00:04:49,420
We must give it a name.

48
00:04:49,470 --> 00:04:53,400
We have to specify a path to this group.

49
00:04:53,400 --> 00:05:02,740
In my case it will be in production or you in groups or you and groups globe parameters should be specified

50
00:05:02,980 --> 00:05:05,240
in my case it's domain local.

51
00:05:05,370 --> 00:05:08,440
Similar relate to create other group types.

52
00:05:08,440 --> 00:05:16,720
Change the parameter group's scope the following simple command creates a global group and a universal

53
00:05:16,720 --> 00:05:17,340
group.

54
00:05:17,380 --> 00:05:25,660
The code is the same as in the previous example but we can change the group scope to global and group

55
00:05:25,660 --> 00:05:27,340
scope universal.

56
00:05:27,340 --> 00:05:34,240
Now some words about searching and modifying group object information search in active directory for

57
00:05:34,240 --> 00:05:39,700
the presence of a group is similar to search and user assigned groups.

58
00:05:39,810 --> 00:05:47,470
A command loud call to get there is a group from the active directory module can be used to get grouped

59
00:05:47,560 --> 00:05:49,680
object information.

60
00:05:49,690 --> 00:05:56,660
For example we can use the following command to get display name of all groups in active directory.

61
00:05:56,710 --> 00:06:06,150
Get a group filter asterisks with me which means all the groups and by a bit to select by the name.

62
00:06:06,250 --> 00:06:14,650
As I have mentioned by specify an asterisk is an argument to do the filter parameter they are wherein

63
00:06:14,740 --> 00:06:22,360
all groups in active directory and then display the value of the name property use in the SELECT statement

64
00:06:22,690 --> 00:06:25,700
to search for a specific group by name.

65
00:06:25,750 --> 00:06:34,000
We can pass the name of the group to the filter parameter as in this example get the group filter name

66
00:06:34,330 --> 00:06:40,180
is equal to task group one for example on some other name of the group.

67
00:06:40,210 --> 00:06:49,180
These command searches active director for groups which name exactly matches test group one or project

68
00:06:49,180 --> 00:06:56,880
one group or whatever name you are looking for and returns the group object if present.

69
00:06:57,130 --> 00:07:05,050
Otherwise no output assume there is some other parameter that helps in performing the search operation

70
00:07:05,050 --> 00:07:06,970
an active directory.

71
00:07:07,060 --> 00:07:17,260
That is the dash l derp filter parameter the filter parameter and the older filter parameter perform

72
00:07:17,590 --> 00:07:25,420
the same type of search operation but the syntax is in which you pass the values is different the filter

73
00:07:25,420 --> 00:07:34,510
parameter takes the power shell type of syntax and that filter takes the old DEP type of syntax.

74
00:07:34,570 --> 00:07:42,160
The example which we have which we had before was written using the filter parameter which uses the

75
00:07:42,160 --> 00:07:49,990
power shell syntax the same command can be rewritten to use an old DAB filter Adams's command get a

76
00:07:49,990 --> 00:07:58,360
group elder filter parameter and the query looks like that name equals test group one based on your

77
00:07:58,360 --> 00:08:06,390
comfort level you can use either filter or hold up filter or parameter to perform searches.

78
00:08:06,400 --> 00:08:15,260
This is applicable for other common LEDs such as they get a the user and get a computer parameters enough.

79
00:08:15,340 --> 00:08:24,040
Another difference to note here is that filter can take the property names returned by command LEDs

80
00:08:24,370 --> 00:08:26,490
in the active directory model.

81
00:08:26,530 --> 00:08:35,590
But but Il derp filter parameter requires the exact attribute names in general using the filter parameter

82
00:08:35,590 --> 00:08:39,310
to perform search operations is sufficient.

83
00:08:39,310 --> 00:08:47,990
The elder filter parameter can be used to test the existing older filters or the filters used in other

84
00:08:48,010 --> 00:08:53,150
programming languages that query active directory use an elder.

85
00:08:53,350 --> 00:09:02,140
Now that we all know how to search for a single group an active directory let's see how we can perform

86
00:09:02,140 --> 00:09:10,520
a search for multiple groups using the get a the group command led groups that match a particular naming

87
00:09:10,570 --> 00:09:14,270
convention can be where it used in the following command.

88
00:09:14,440 --> 00:09:19,770
Gather the group filter parameter and we are looking for name.

89
00:09:19,780 --> 00:09:26,500
Beaches like test so it should contain this word test in its name.

90
00:09:26,500 --> 00:09:33,520
This command will return all group objects that have the test and their name property.

91
00:09:33,520 --> 00:09:40,510
The filter parameter can be further customized to be used to various search and needs.

92
00:09:40,510 --> 00:09:48,190
For example we can extend our previous code to search for groups that contain the string domain in their

93
00:09:48,190 --> 00:09:49,780
name attribute.

94
00:09:49,780 --> 00:09:53,700
Like in this command get a group filter.

95
00:09:53,830 --> 00:10:01,180
Name should contain test string in it or name should contain demands through internet.

96
00:10:01,390 --> 00:10:08,450
Similarly if you have a list of groups in a text file and you want to know whether they are present

97
00:10:08,500 --> 00:10:12,220
an active directory you can use the following code.

98
00:10:12,220 --> 00:10:20,170
This is a simple code that treats the group names from a text file located in the directories specified

99
00:10:20,570 --> 00:10:28,150
loops through each group name in the text file and checks whether it is present in active directory

100
00:10:28,450 --> 00:10:29,440
or not.

101
00:10:29,440 --> 00:10:33,760
Once you have the object information in the group you are looking for.

102
00:10:33,760 --> 00:10:41,320
It is easy to modify the group object information using the set a do group command led group to object

103
00:10:41,320 --> 00:10:49,720
information is a display name of the group description group type and so on modifying the membership

104
00:10:49,720 --> 00:10:54,430
of groups doesn't fall within the scope of this lesson.

105
00:10:54,470 --> 00:10:59,410
In the next lesson we'll talk in detail about membership modification.

106
00:10:59,410 --> 00:11:08,070
The following commands will help in adding a description to the group objects they get a group command

107
00:11:08,070 --> 00:11:16,630
Gladwell query active directory based on the provided filters and the results are passed to the sad

108
00:11:16,750 --> 00:11:23,270
age group command led so that it can set the description to a defined stream.

109
00:11:23,470 --> 00:11:24,710
So let's review this.

110
00:11:24,710 --> 00:11:35,290
Come this code we are getting group with the name which is equal to test group and set a new description

111
00:11:35,290 --> 00:11:42,880
to this group will set a group command led and description parameter and the description itself which

112
00:11:42,880 --> 00:11:44,880
should be in quotes.

113
00:11:44,980 --> 00:11:51,910
If you want to update the description for all groups that have tasks in their name then you could use

114
00:11:51,910 --> 00:12:00,310
the following command guide to the group filter test 3 and end it pipe it to Saturday group with the

115
00:12:00,310 --> 00:12:06,400
description with the new description parameter which should be specified in quotes again.

116
00:12:06,700 --> 00:12:13,810
Similarly groups scope can be changed you then that set a group command led as shown in the following

117
00:12:13,810 --> 00:12:14,770
command.

118
00:12:14,770 --> 00:12:21,190
Get a group filter name is equal to task group and set a group.

119
00:12:21,310 --> 00:12:25,460
Group scope and new group scope which you want to specify.

120
00:12:25,510 --> 00:12:32,370
For example domain local to see the current scope and the group category of the group.

121
00:12:32,470 --> 00:12:41,590
You can use the following command get age group identity test group and select Name group category and

122
00:12:41,590 --> 00:12:49,680
groups go and you can find this information in the output of this command.

123
00:12:49,690 --> 00:12:58,030
Also the group type security or distribution can be changed by passing the required type to the group

124
00:12:58,030 --> 00:13:02,360
category parameter for the certain group command led.

125
00:13:02,380 --> 00:13:08,470
And here is an example for this girl to the group filter a name should look like.

126
00:13:08,470 --> 00:13:14,870
Test test training it and set the group with new group category.

127
00:13:14,890 --> 00:13:22,130
For example distribution groups can be configured as email enabled security groups which helps them

128
00:13:22,130 --> 00:13:22,870
both.

129
00:13:22,870 --> 00:13:31,600
Sending emails and granting security permissions since email enabled security groups require Microsoft

130
00:13:31,600 --> 00:13:33,280
Exchange installation.

131
00:13:33,280 --> 00:13:38,540
We won't cover it here but Microsoft Exchange power shall snap.

132
00:13:38,590 --> 00:13:45,520
Ian has a command lad that can configure security group as a mail enabled security group.