WEBVTT

00:00.570 --> 00:07.530
The following lessons we'll talk about working with Active Directory groups and memberships in the previous

00:07.530 --> 00:14.040
lessons you've learnt about managing user and computer objects use and power shell.

00:14.040 --> 00:19.510
Now let's discuss how to manage Active Directory groups and their memberships.

00:19.530 --> 00:23.910
We'll see how to perform the following operations in Active Directory.

00:23.940 --> 00:25.190
Use them power.

00:25.200 --> 00:26.680
Shell come and lets.

00:26.850 --> 00:36.330
How to create local global and universal security groups searching and modifying group object information

00:36.610 --> 00:45.210
add in group members use their own computer accounts to the security groups and how to list members

00:45.480 --> 00:51.770
of a security group in Active Directory or remove any user or computer records from groups.

00:51.890 --> 00:59.280
Remove a group from groups and call to delete and remove that eighty groups to start with.

00:59.280 --> 01:06.230
Let's recall some basic concepts about Active Directory groups and their memberships.

01:06.240 --> 01:14.220
What is group a group is a collection of different Active Directory objects such as user accounts computer

01:14.220 --> 01:22.110
accounts and groups of cons Active Directory groups are basically categorized into two types.

01:22.110 --> 01:30.220
Security Groups and distribution lists or groups abbreviation for it is DL.

01:30.310 --> 01:38.100
Respectfully a security group can be used to grant permissions to various resources in a network such

01:38.100 --> 01:45.000
as Grant and permissions to share as NTFS permissions on new technology.

01:45.000 --> 01:51.320
File system permissions printer permissions and many more similar activities.

01:51.450 --> 01:58.950
Distribution lists are email enabled groups on which information can be shared.

01:58.950 --> 02:09.840
Why the email to a group of people simultaneously security groups can be mail enabled and Ustaz distribution

02:09.840 --> 02:12.060
lists and vice versa.

02:12.210 --> 02:20.130
Both of these groups are further characterized by a scope that identifies the extent to which the group

02:20.130 --> 02:21.040
is applied.

02:21.060 --> 02:23.460
In a demand tree of forest.

02:23.460 --> 02:31.350
This means that the scope of a group determines whether it can have members from the same domain different

02:31.350 --> 02:34.140
domains or different forests.

02:34.140 --> 02:41.380
There are three types of scope available in active directory that apply to both of these groups.

02:41.400 --> 02:47.240
There are universal global and Domain Local groups.

02:47.240 --> 02:48.590
So is scope's.

02:48.600 --> 02:57.010
Please consider that because distribution groups are used for email and most importantly for Microsoft

02:57.030 --> 02:58.820
Exchange applications.

02:58.890 --> 03:02.130
They won't discuss it so much.

03:02.290 --> 03:11.070
We will limit our discussion to security groups in these lessons and as you may know in a Windows environment

03:11.160 --> 03:18.080
Active Directory security groups play an important role in groups to delegate.

03:18.090 --> 03:27.210
Grant permissions is rescale a build compared to granting permissions to an individual user or computer

03:27.210 --> 03:28.080
account.

03:28.080 --> 03:36.090
That's why it is very important for Windows system administrator to understand how to automate it to

03:36.090 --> 03:43.520
its maximum extent the usage of the group's security groups in a Windows environment.

03:43.530 --> 03:47.900
So let's start with create and different types of security groups.

03:47.970 --> 03:54.360
As I've mentioned there are different types of security groups available in Active Directory such as

03:54.360 --> 03:57.320
Global Domain Local and universal.

03:57.420 --> 04:04.740
To create a new group in Active Directory their new nudist aided group command led can be used.

04:04.740 --> 04:07.620
This command left accepts three parameters.

04:07.620 --> 04:09.620
These are a name of the group.

04:09.630 --> 04:19.530
The organizational unit bath in HD and group scope such as Domain Local global or universal name sound

04:19.620 --> 04:23.070
group scope need to be provided mandatorily.

04:23.220 --> 04:32.540
So let's review some simple command line examples to create a new blank Adey group in a D with no members

04:32.540 --> 04:33.310
in it.

04:33.310 --> 04:40.770
The foreign command creates a new Active Directory a group of type Domain Local and they specify it.

04:40.810 --> 04:45.010
Oh you will do that with new Desch the group.

04:45.080 --> 04:47.770
On glad we can give it a name.

04:47.790 --> 04:49.430
We must give it a name.

04:49.470 --> 04:53.400
We have to specify pass to this group.

04:53.400 --> 04:59.720
In my case it will be in production are you in groups o you and groups.

04:59.820 --> 05:02.850
Job parameters should be specified.

05:03.000 --> 05:05.400
In my case it's Domain Local.

05:05.400 --> 05:14.130
Similarly to grade other group types change the parameter groups go for and sample command creates a

05:14.130 --> 05:17.400
global group and a universal group.

05:17.430 --> 05:25.650
The goal is the same as in the previous example but we can change the group's code to global and group

05:25.650 --> 05:27.320
scope universal.

05:27.360 --> 05:34.260
Now some words about searching and modifying group object information search an active directory for

05:34.260 --> 05:42.930
the presence of a group is similar to search on users and groups I come on loud call to get a group

05:42.930 --> 05:49.700
from that active directory module can be used to get grouped object information.

05:49.710 --> 05:57.120
For example we can use the following command to get display name of all groups in Active Directory get

05:57.210 --> 06:06.040
a group filter asterisks read me which means all the groups and pipe it to a select by the name.

06:06.240 --> 06:15.540
As I've mentioned by specify an asterisk is an argument to the filter parameter wherein all groups in

06:15.540 --> 06:19.830
Active Directory and then display the value of the name property.

06:19.980 --> 06:25.710
You can then select statement to search for a specific group by name.

06:25.770 --> 06:30.180
We can parse the name of the group to the filter parameter.

06:30.300 --> 06:39.270
In this example getting the group filter name is equal to test group one for example or some other name

06:39.270 --> 06:40.160
of the group.

06:40.210 --> 06:49.200
These commands searches Active Directory for groups which name exactly matches test group one or project

06:49.200 --> 06:57.870
one group or whatever name you are looking for and three tones of a group object if present otherwise

06:57.900 --> 06:59.750
no output is.

06:59.850 --> 07:07.410
There is some other parameter that helps in performing their search operation in Active Directory that

07:07.410 --> 07:08.360
is there.

07:08.400 --> 07:17.730
There's a whole depth filter parameter the filter parameter and the old filter parameter perform the

07:17.730 --> 07:24.610
same type of search operation but the syntax is in ratio pass lvalues is different.

07:24.810 --> 07:33.330
The filter parameter takes the power shell type of syntax and old that filter takes the old Derbe type

07:33.330 --> 07:34.410
of syntax.

07:34.520 --> 07:42.530
The example which we have which we had before was written Yodels a filter parameter which uses the power

07:42.550 --> 07:51.100
shell syntax the same command can be rewritten to use an elder filter Adams's command get a group elder

07:51.270 --> 07:59.600
filter parameter and the Cuero looks like that name equals tells group 1 based on your comfort level

07:59.610 --> 08:06.380
you can use either the filter or Derb filter parameter to perform searches.

08:06.390 --> 08:14.860
This is applicable for Arzak command lets such as like get a user and get a the computer parameters.

08:14.960 --> 08:23.430
And another difference to note here is that filtering can take the property names returned by command

08:23.430 --> 08:27.040
laths in the Active Directory Mod. bar.

08:27.150 --> 08:35.610
But Ill dirt filter parameter requires the exact attribute names in general use of the filter parameter

08:35.610 --> 08:39.310
to pick from search operations is sufficient.

08:39.560 --> 08:48.720
Elder filter parameter can be used to test the existing older filters or the filters used in other programming

08:48.720 --> 08:53.290
languages that Querrey active directory use an elder app.

08:53.340 --> 08:59.650
Now that we all know how to search for a single group an active directory.

08:59.850 --> 09:04.510
Let's see how we can perform a search for multiple groups.

09:04.530 --> 09:12.300
You then get a D group come and let groups that match a particular name and convention can pick where

09:12.300 --> 09:20.640
it used and the following command go to the group filter parameter and look in full name which is like

09:20.880 --> 09:21.790
a test.

09:21.900 --> 09:26.520
So it should contain this word test in its name.

09:26.520 --> 09:33.500
This command will return all group objects that have their story and text in the Name property.

09:33.510 --> 09:40.520
The filter parameter can be further customized to be used to various search needs.

09:40.530 --> 09:47.860
For example we can extend our previous code to search for groups that contain this tree and domain in

09:47.860 --> 09:49.660
the name attribute.

09:49.670 --> 09:57.530
All I can do is come and get a group filter name should contain a text string in it.

09:57.660 --> 10:00.720
Or name should contain mainstream.

10:00.780 --> 10:08.440
And similarly if you have a list of groups in a text file and you want to know whether they are present

10:08.500 --> 10:12.190
in Active Directory you can use the following code.

10:12.190 --> 10:20.190
This is a simple code that treats the group names from a text file located in the directory specified

10:20.380 --> 10:28.210
or loops through each group name in the text file and checks whether it is present in Active Directory

10:28.450 --> 10:29.400
or not.

10:29.410 --> 10:35.860
Once you have the object information in the group you're looking for it is easy to modify the group

10:35.860 --> 10:43.150
object information to you then the set a group come and let grouped object information is a display

10:43.150 --> 10:51.580
name of the group description group type and so on modifying their membership of groups doesn't fall

10:51.580 --> 10:59.110
within the scope of this lesson and the next lesson will talk in detail about membership modification

10:59.730 --> 11:09.220
in command will help imagine a description to the group objects that get a group command that will Querrey

11:09.280 --> 11:18.130
Active Directory based on the provided filters and the results are passed to the SAT group command level

11:18.370 --> 11:23.470
so that it can set the description to a defined stream.

11:23.470 --> 11:26.390
So let's review this come this code.

11:26.560 --> 11:36.190
We are Gatun group with the name which is equal to test group and set a new description to this group

11:36.380 --> 11:43.990
we set a group command left and description parameter and the description itself which should be in

11:43.990 --> 11:51.000
quotes if you want to update the description for all groups that have text in their name.

11:51.130 --> 11:53.420
Then you could use the following command.

11:53.540 --> 12:01.560
Get the group filter test string in and pipe it to a certain age group with the description within your

12:01.630 --> 12:06.700
description parameter which should be specified in quotes again.

12:06.700 --> 12:09.670
Similarly group scope can be changed.

12:09.670 --> 12:14.640
You then said Take the group command left as shown in the following command.

12:14.770 --> 12:21.570
Get a group filter name is equal to test group and set a group.

12:21.740 --> 12:29.350
Scope and new group scope which you want to specify for example Domain Local to see the current scope

12:29.440 --> 12:32.400
and the group get together of the group.

12:32.470 --> 12:41.590
You can use the following command that do group identity test group and select name group category and

12:41.620 --> 12:49.640
groups go and you can find to this information in the output of this command.

12:49.690 --> 12:58.060
Also the group type security or distribution can be changed by boss and the required type to the group

12:58.060 --> 13:02.220
category parameter for a certain group command left.

13:02.380 --> 13:04.680
And here is an example for this.

13:04.730 --> 13:08.520
Get a group filter name should look like.

13:08.530 --> 13:14.900
Test test Trewin in it and say that the group was new group category.

13:14.920 --> 13:22.310
For example distribution groups can be configured as email enabled security groups which helps them

13:22.300 --> 13:31.580
both sending emails and granting security permissions since email enabled security groups require Microsoft

13:31.600 --> 13:33.120
Exchange installation.

13:33.280 --> 13:41.650
We won't cover it here but Microsoft Exchange Parshall's snap even has a command line that can configure

13:41.650 --> 13:45.530
security group as a mail enabled security group.