Security groups in Active Directory are used to manage access to resources such as shared folders, printers, applications, VPN access, and administrative tools.
Instead of assigning permissions to each user individually, administrators add users to groups. This makes access easier to manage, audit, and troubleshoot.
This document explains:
- What security groups are
- Why they are used
- Common group types
- How users are added to groups
- How groups support access control
- Basic troubleshooting steps
A security group is a collection of users, computers, or other groups that share access permissions.
Example:
Group Name: SharedDrive-Sales
Members: Sales users
Access: Sales shared folder
Permission: Modify
If a user is added to the SharedDrive-Sales group, they receive access to the Sales shared folder based on that group's permissions.
Security groups help administrators:
- Apply permissions consistently
- Reduce manual access errors
- Support least privilege access
- Improve security auditing
- Make onboarding and offboarding easier
- Troubleshoot access issues faster
| Group Name | Purpose |
|---|---|
| HR-Users | Access to HR resources |
| Sales-Users | Access to Sales systems and folders |
| VPN-Users | Permission to connect to VPN |
| Printer-Floor1 | Access to a specific printer |
| SharedDrive-Finance-ReadOnly | Read-only access to Finance folder |
| SharedDrive-Marketing-Modify | Modify access to Marketing folder |
Active Directory security groups can have different scopes.
Usually used to assign permissions to resources in the same domain.
Example:
DL-Folder-Sales-Modify
Usually used to group users based on role, department, or job function.
Example:
GG-Sales-Users
Used in larger environments with multiple domains.
Example:
UG-All-Company-VPN
A clear naming convention helps support teams understand what a group does.
Example format:
Resource-Department-Permission
Examples:
SharedDrive-Sales-Read
SharedDrive-Sales-Modify
VPN-RemoteUsers
Printer-Accounting
- Open Active Directory Users and Computers.
- Search for the group name.
- Confirm the group description.
- Review the group's purpose before adding users.
Avoid adding users to a group if the purpose is unclear.
- Open the user account in Active Directory.
- Go to the Member Of tab.
- Click Add.
- Enter the group name.
- Click Check Names.
- Click OK.
- Apply the changes.
To verify group membership:
- Open the user account.
- Select Member Of.
- Confirm the required group appears.
- Ask the user to sign out and sign back in, if needed.
- Test access to the resource.
You can also use Command Prompt:
whoami /groupsThis shows the groups applied to the current signed-in user session.
- Open the user account.
- Go to Member Of.
- Select the group.
- Click Remove.
- Confirm the change.
- Document the removal.
Removing group access is important when:
- A user changes departments
- A user no longer needs access
- A user leaves the company
- Access was added temporarily
| Issue | Possible Cause | Resolution |
|---|---|---|
| User cannot access shared folder | Missing group membership | Add user to correct group |
| User was added but access still fails | User has not signed out/in | Ask user to sign out and sign back in |
| User has too much access | User belongs to extra group | Review and remove unnecessary groups |
| Group name is unclear | Poor naming convention | Check group description or ask senior admin |
| Access works for others but not one user | Incorrect user account or permissions | Compare group membership with working user |
- Use groups instead of assigning permissions directly to users.
- Follow the least privilege principle.
- Add descriptions to groups.
- Use clear naming conventions.
- Review group membership regularly.
- Remove access when it is no longer needed.
- Document group changes in tickets.
- Escalate unclear access requests.
Reviewed access request for Jordan Smith.
Added user jsmith to SharedDrive-Sales-Modify and VPN-Users security groups.
Confirmed user signed out and signed back in.
User verified access to Sales shared folder and VPN.
Ticket completed.
- Active Directory group management
- Access control basics
- Permission troubleshooting
- Least privilege security
- User access administration
- Help desk documentation