Active Directory 2008: Group Facts…

A group is used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with groups instead of individual user accounts helps simplify network maintenance and administration. For instance, through groups the users receive all the user rights assigned to the group and all the permissions assigned to the group on any shared resources.

Like user accounts, there are both local and domain groups.

  • Local      groups exist only on the local computer, and control access to local resources.
  • Domain      groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.

Active Directory groups have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.

Group scope Membership Resource Access
Global Global groups can contain members   within the same domain. These include:

  • Global groups in the same        domain (in native mode only).
  • Users and computers within        the same domain.

Use global groups to group users   and computers within the domain who have similar access needs.

Global groups can be assigned   permissions to resources anywhere in the forest.

Create global groups to organize users (e.g., Sales or   Development).

Domain Local Domain local groups can contain   members from any domain in the forest. These include:

  • Domain local groups in the        same domain (in native mode only).
  • Global groups within the        forest.
  • Universal groups within the        forest (in native mode only).
  • Users and computers within        the forest.
Domain local groups can be   assigned permissions within a domain.

Create domain local groups representative of the domain   controller resources to which you want to control access, and then assign   permissions on the resource to the group.

Universal Universal groups can contain   members from any domain in the forest. These include:

  • Universal groups within the        forest.
  • Global groups within the        forest.
  • Users and computers within        the forest.
Universal groups can be assigned   permissions to resources anywhere in the forest.

Universal group membership should be relatively stable.   For this reason, you should only add global or universal groups to universal   groups. Avoid adding user accounts directly to universal groups.

In addition to the group scope, there are two types of groups:

Group Type Description
Security A security group is one that can be used to manage rights   and permissions.

  • Group members get the        permissions that are granted to the group.
  • A security group represents        an object with a security identifier (SID), which through the member        attribute, collects other objects, such as users, computers, contacts,        and other groups.
Distribution A distribution group is   used to maintain a list of users and is typically used for sending e-mails to   all group members. Distribution groups cannot be used for assigning   permissions.

Be aware of the following when managing groups:

  • The basic best practices for      user and group security are:
    • Create groups based on user access needs.
    • Assign user accounts to the appropriate groups.
    • Assign permissions to each group based on the resource       needs of the users in the group and the security needs of your network.
  • After creating a group, you may      need to convert the group’s scope and/or type.
    • Converting a security group to a distribution group       removes permissions assigned to the group. This could prevent or allow       unwanted access.
    • You cannot directly convert a group from global to       domain local or domain local to global. Instead, convert the group to a       universal group and apply the changes, then convert the group to the       desired scope.
    • If a global group is nested in another global group,       the nested global group cannot be converted to a universal group because       a universal group cannot be a member of a global group.
  • To add or remove members of a      group, use one of the following methods:
    • On the group object, edit the Members tab and       add the group members. Use this method to efficiently add multiple       members to the same group.
    • On the user account, edit the Members Of tab       and select the group to which you want to add the user. The Member Of       tab displays all of groups to which the object is a member. Use this       method to efficiently add a single user to multiple groups.

Because a group can be a member of another group, a group object also has a Member Of tab. Adding objects to the Member Of tab for a group makes the group a member of another group (it does not add members to the group).

  • When      you delete a group, all information about the group (including any      permissions assigned to the group) is deleted. User accounts, however, are      not deleted. They are simply no longer associated with the group. If you delete      the group, use one of the following strategies to recover it:
    • Re-create the group, add all the original group       members, and reassign any permissions granted to the group.
    • Restore the group from a recent backup.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s