Purpose of Active Directory Groups
Active Directory groups are sets of Active Directory (AD) objects — such as users, computers, and even other groups. Using AD groups helps simplify IT administration and ensure accurate delegation of rights and dissemination of information. Active Directory has several built-in groups, and organizations create many additional groups.
For example, you can quickly grant a new employee access to the IT resources they need to do their job simply by making them a member of the appropriate AD groups based on their role. If that person later changes roles, you can simply remove them from their old groups and add them to the appropriate new ones.
More broadly, if you ensure that you have the right groups and that each group has the right permissions and membership, you can more easily enforce the principle of least privilege to strengthen security and prove regulatory compliance.
Types of Active Directory Groups
Some groups are created in the local Security Accounts Administrator (SAM) database on a computer. These local groups are not covered by this document.
Instead, we will focus on domain groups, which are not limited to one machine. There are two types of domain groups in Active Directory:
- Distribution groups (sometimes called distribution lists)make it easy to send e-mails (via a messaging provider such as Microsoft Exchange) to a set of users who are members of the respective group.
- Security groups are used to grant users permissions to shared resources. By making a user a member of a security group, you give them all the permissions assigned to that security group. For example, you might create a group called Human Resources and give it permissions to read and edit all the files in specific folders, as well as the permission to execute certain applications. Any user that is a member of that group will be able to perform those actions.
Note that security groups can also be used as distribution groups in Exchange; these are known as security-enabled distribution groups or mail-enabled security groups. However, distribution groups are designed to be used for e-mail specifically and cannot be used to grant permissions.
Group Scope
Each group in Active Directory has a scope, which determines the types of objects that it can contain and what types of groups it can be a member of. There are three scopes:
| Scope | Can contain | Can be a member of | Can be converted to |
| Universal | Users, global groups and universal groups from any domain in the forest, regardless of whether trusts have been established between domains | Domain local groups or other universal groups but NOT global groups | A global group, provided it doesn’t contain another universal group as a member A domain local group without any restrictions |
| Global | Users, computers and global groups from the same domain (but NOT universal groups) | Global groups in the same domain Domain local groups or universal groups in any domain in the forest or any trusted domain | A universal group, provided it is not a member of another global group |
| Domain Local | Users, computers, global groups and universal groups from any domain, including domains outside the forest Domain local groups from the same domain only | Any domain local group in the same domain | A universal group, provided it has no domain local group as members |
Universal Groups
Groups with universal scope are used for consolidating groups across domains. The best practices to consolidate groups are as follows:
- Add user accounts to groups with global scope
- Then nest those groups under a group with universal scope
This prevents any change to groups with universal scope even when memberships change within global groups. It further helps control replication, as each membership change for a universal group triggers forest-wide replication, while changes to global groups trigger replication at the domain level only.
For example, you might have a universal group named AllMarketing, which has two global groups, Asia-Marketing and US-Marketing as its members. If a marketing team member is hired or leaves, you need to modify only the membership of the appropriate global group and thereby avoid forest-wide replication.
Global Groups
Global groups are best for the following purposes:
- AD objects that need similar permissions — Global groups are often created to grant the same permissions to users (members) who have similar job responsibilities, such as all accountants.
- Managing objects requiring daily maintenance — Global groups are also used to manage user and computer accounts that require daily maintenance, since changing such accounts in global groups is not replicated to the global catalog.
Domain Local Groups
Domain local groups are best for managing permissions to domain-specific resources, such as a specific printer. For example, you could create an AD group called US-MarketingPrinter with domain local scope and give it permission to access the printer in the Marketing team’s area. Then you can add multiple global groups to it. This would enable members of those global groups to access the printer.
Built-in Active Directory Security Groups
A number of Active Directory security groups are created automatically on Windows servers. Here are some of the most important ones to know about:
Administrators
This group has control over all domain controllers (DCs) and can modify the membership of other powerful built-in groups, including Domain Admins, Enterprise Admins and Schema Admins.
Backup Operators
Members of this group are primarily responsible for backing up and restoring files on computers, including domain controllers. Backup Operators cannot modify server settings or change directory configuration, but they do have the ability to replace files, such as operating system files on DCs.
Remote Desktop Users
This group provides rights to initiate a remote session to an RD session host server.
Domain Admins
This group is a member of the domain’s Administrators group and therefore inherits all of that group’s capabilities. By default, it’s also assigned to the local Administrators group of each domain member computer, giving Domain Admins full control over all domain computers.
Enterprise Admins
This group is also a member of the Administrators group. It has full access to all domain controllers, owns a directory configuration partition, and has control over the domain naming context.
Schema Admins
This group controls the Active Directory schema.
Because these built-in AD security groups are so powerful, it is vital to rigorously limit their membership and monitor them closely for unauthorized changes.
Best Practices for Active Directory Group Management
As we have seen, Active Directory groups provide access to critical IT resources and information. Therefore, effectively managing them is vital to security. Here are seven key best practices to adopt:
- Know what groups you have.
- Use standards.
- Establish group ownership.
- Control changes to groups.
- Require regular attestation by group owners.
- Automate group management tasks.
- Delete groups that are no longer needed.
#1: Know what groups you have.
The first step in managing your Active Directory groups is to get an accurate inventory. Be sure to flag any groups that:
- Have no members
- Have no owner
- Have no recent changes
- Appear to be duplicates (via either name or membership)
- Are nested within other groups
Collecting this information and keeping it up to date using manual methods or even PowerShell is tedious and error-prone. Consider investing in a solution like Netwrix GroupID, which automates the work.
#2: Use standards.
You’ll probably discover a few groups with cryptic names, and it may take some work to figure out why they were created and whether they are still needed. To avoid this problem in the future, establish standards for naming groups. In addition, create standards around the following:
Group scope
Be sure everyone who can create or modify groups understands how scope impacts replication, members, and membership within other groups.
Group type
Security and distribution groups are designed to serve very different purposes but can overlap in functionality (as in the case of a mail-enabled security group). Be clear about whether and how you assign group type.
Group description and notes
Be sure every group has a good description and notes about its purpose.
Object placement
Just as you use folder structures in a file system to help you quickly identify what a folder contains, take advantage of organizational units in the directory for both documentation and delegation purposes.
Use of nesting
Use group nesting properly and consistently.
#3: Establish group ownership.
The owner of a group should be the person who is best positioned to determine what permissions the group should have, who should be a member of the group and whether the group is still needed. In most cases, that is not the IT team, but a business user such as a manager, department head or project leader. Ideally, groups should have multiple owners.
#4: Control changes to groups.
In many organizations, users can get themselves added to an Active Directory group simply by submitting a helpdesk ticket. It’s often the case that these requests just ‘happen’, leaving you with little or no accountability. To establish accountability, you should, at a minimum, track all changes made to groups, including changes to group attributes, permissions, membership and nesting, as well as to deletion of the group. Netwrix GroupID can track all changes and even makes it easy for users to add a comment about the justification for the change.
Even better, establish a workflow to ensure that sensitive groups are modified only after approval by the group owner or another authorized person.
With Netwrix GroupID, you can easily categorize your groups to control whether and how changes can be made. Options include:
- Private — Closed membership
- Semi-private — Users can send join and leave requests to group owners
- Public — Open to all users
#5: Require regular attestation by group owners.
Even if you have implemented change control for your groups, you should periodically require group attestation, in which group owners review the group’s attributes, membership, and permissions to make any necessary corrections.
The owner should also attest to the need for the group’s continued existence. For example, you might have created a group to provide access to a CRM application. If you move to a cloud-based CRM system, you no longer need that group, but without a regular review process, it is likely to remain in your directory for years to come.
#6: Automate group management tasks.
When IT and helpdesk teams have to manually manage groups and group membership, human errors are inevitable, which puts your organization at increased risk of security breaches and business disruptions. To reduce this risk, automate group-related processes as much as possible, from group creation to membership changes to attestation and eventual deletion.
#7: Delete groups that are no longer needed.
Require group owners to regularly attest that their groups are still needed or that they can be deleted. While you can implement this best practice using manually methods, a better approach is to assign every group an expiration date so it will be deleted automatically if it is validated through your attestation process. Netwrix GroupID makes this process easy.
Conclusion
Security and distribution lists are powerful tools for quickly and accurately granting access to IT resources and distributing information in e-mail. By following the best practices detailed in this article and investing in a software solution like Netwrix GroupID, you can manage your groups efficiently and effectively.
