Rename AD Group & Change Names of Active Directory Groups
Any admin who wants to rename the AD group may think a lot about where to start. Groups govern many important aspects of an Active Directory, such as policy assignment. Moreover, they can act as a miniature organizational unit, so a Group name change is quite a significant event.
Table of Contents
So we have made a thorough list of methods that can be used to update the group name in the Active Directory. Use the one that suits you best, but before that, take a look at the possible reasons for the change.
Why Change the Group Name in the Active Directory?
Reasons why groups may be renamed are as follows:
- The group name is incorrect or misspelled.
- You found empty groups in AD and want to rename them for easier filtration.
- The original intent of the Group name is no longer valid.
- After generating an AD Group membership report, and the policy it is designed to work with does not match its name, e.g., marketing team members are placed under the HR group.
- Renaming a group also boosts AD security as it helps admins whenever they want to export inactive users from the Active Directory environment.
In such scenarios, if the number of underlying elements is large, then instead of commissioning a large internal migration, admins can simply rename the group to match its new intent.
Note: The change in group name does not affect the policy prescribed to it. As resource access and policy are governed by SID, which is an immutable variable.
Rename AD Group Using the Users and Computers Portal
- Step 1. Select the Group to highlight it.
- Step 2. Wait for a second and then click again. It makes the name editable.
- Step 3. Press backspace/delete to clear the existing name.
- Step 4. Type in the new name and press enter (or click on any blank space on the ADUC portal).
- Step 5. A Rename Group pop-up will appear. Verify the new name you are about to put in.
- Step 6. You can also change the pre-Windows 2000 name.
- Step 7. Once done, press OK.
A second method from within the ADUC is also available:
- Step 1. Open the View tab and enable the Advanced Features option.
- Step 2. Then double-click a group.
- Step 3. This will open the Group Properties window.
- Step 4. Go to the Attribute Editor tab.
- Step 5. There you will find the list of all attributes. Select the naming attributes you wish to update.
- Step 6. Type in new values, hit Apply, and OK.
Group Name Change in the Active Directory from the Admin Center
Admin center is applicable in other use cases, other than finding what OU a user is in.
- Step 1. Open ADAC
- Step 2. Toggle the Global Search
- Step 3. Change the search settings to LDAP and paste this:
(&(objectClass=group))
- Step 4. Press Apply
Select any group and open Properties; from there, you can rename the group easily.
Use PowerShell to Rename an AD Group
You can use the Set-ADGroup cmdlet to modify attributes like sAMAccountName, displayName, or description. For renaming the group, use Rename-ADObject.
Set-ADGroup -Identity "GroupName" -sAMAccountName "NewSAMAccountName" -DisplayName "New Display Name" -Description "Updated Description"
Rename AD group (change cn):
Rename-ADObject -Identity "CN=OldGroupName,OU=Groups,DC=yourdomain,DC=com" -NewName "NewGroupName"
Explanation:
Set-ADGroup -Identity: Modify group attributes like sAMAccountName, displayName, and description.
Rename-ADObject: Renames the group (cn) while keeping the distinguished name (DN) intact.
Changing Group Attributes via Command Line (CMD)
If you dont want to use PowerShell for renaming an Active Directory Group, you use the command-line queries. More specifically, you can use dsmod to modify the sAMAccountName and description. Unfortunately, dsmod cannot change the CN directly (so you must rename the CN of AD groups through PowerShell).
dsmod group "CN=GroupName,OU=Groups,DC=yourdomain,DC=com" -samid NewSAMAccountName -desc "New Description" -display "New Display Name"
Explanation:
dsmod group: Modifies the group’s attributes, including sAMAccountName, description, and displayName.
Admins can set a sandbox group and limit resource access via GCP.
A bulk renaming is not recommended, as you may end up changing something that wasn’t required.
Best Practices While Renaming Groups in AD
There is not much to take into consideration, except that admins require external verification to ensure that the name change was successful. So, for that, look no further than SysTools AD Reporting Tool, the ultimate solution for administrators.
Key Benefits:
- Easily view and extract the number of groups in your AD
- No complex scripts required
- Customizable reporting to meet your organization’s needs
- Access to group creation date, Distribution, and Security groups
Try it Today!
Flexible Reporting Options allow you to categorize reports based on your organization’s requirements.
Conclusion
This post gave users plenty of ways to rename AD groups easily. So now the administrators do not have to worry about changing the name of a group in the Active Directory or shifting all elements to a new group. The admins can use PowerShell to rename AD or the command line to adjust the samaccountname. For GUI methods, we have the Active Directory Users and Computers portal and the administrative center. Moreover, any changes that admins make can be verified with the help of an automated reporting tool, as outlined in the best practices.
Frequently Asked Questions When Admins Change the Name of an AD Group
Q. Is there a cool-down period between two successive Active Directory group name change attempts?
AD has no limits on how often you can change an object name. Admins may be able to put in some restrictions via group policy, but that’s it.
Q. What is the maximum number of times I can rename the Active Directory group?
There is no limit, but multiple name change operations in a short period can cause your AD to malfunction. The biggest problem is that if you operate a multi-domain structure, the new name update must reach every AD; too many requests can overwhelm the replication bridge.
Another problem stems from a user’s point of view. If the AD name change is abrupt and has a high frequency without prior warning, you may see internal IT complaints rise from users looking for answers.
Q. Can I keep an AD group name empty?
You cannot have a blank name. AD will automatically remove any leading/trailing spaces.
Q. Why don’t I see the complete Active Directory group name after renaming?
You can have spaces between two words; just note that if you put more than one space, the name will appear in a truncated format.
So you will only see the first character followed by 3 dots(…).
Q. What characters are allowed in an Active Directory Group name?
Every special character present in the (default US keyboard) can be put in the name. However, the pre-2000 name column won’t allow any special characters other than the underscore. You can change the pre-2000 name, remove it entirely, or replace the special character with the underscore ( _ ).
Q. Is there a size limit on the AD group name?
Yes, the number of characters in the name cannot exceed 64. This limit is on the count itself and applies regardless of size. Therefore, you can have no more than 64 characters, whether it is a wide capital “W” or a thin small “i“.