What are Active Directory Groups?
Active Directory groups are methods for collecting users, contacts, computers, and even other groups’ objects within Active Directory so that you can manage the objects in the group as a single unit.
Objects in Active Directory Groups
Objects that belong to a particular group are referred to as group members. Using groups can simplify the permission administration by assigning a set of permissions to a security group once, rather than assigning permissions and rights to each group member individually.
Active Directory has several built-in groups that you can use to assign users or computers too, so they have the permissions they need to get their jobs done. You can also create your own groups and assign those groups various levels of access and permissions. Active Directory enables administrators to manage all objects and services from one centralized location rather than having to go from computer to computer to get things done. Many other programs can tie into Active Directory to manage user accounts and other objects as well.
Table Of Contents
- Uses of Active Directory Groups
- Types of Active Directory Groups
- Universal vs Global vs Domain Local Groups
- Uses of Universal Groups
- Uses of Global Groups
- Uses of Domain Local Groups
- Change of Group Scope in Active Directory
- Conditions to Change Group Scopes in Active Directory
- Built-in Active Directory Security Groups
- Uses Of Built-in/Default Active Directory Groups
- Changing Permissions On Built-in Administrator Groups
Uses of Active Directory Groups
To simplify administration by assigning share (resource) permission to groups rather than individual users in the active directory. When you assign permission to a group, all its members have the same access to the resource
To delegate the control by assigning user rights to a group using Group Policies. In the future, you can add new members to the group who need the permission granted by this group.
Create Distribution List
One of the major use of groups with in active directory service is to create email distribution lists.
Types of Active Directory Groups
As we discussed above, Active Directory groups are a collection of Active Directory objects. The group can include users, computers, other groups, and other AD objects. The administrator manages the group as a single object.
In Windows, there are seven types of active directory groups that involves two domain group types with three scopes in each and a local security group as follows:
Domain Groups Types
- Security Groups
- Distribution Groups
Group Scopes in Active Directory
- Universal groups (UG)
- Global groups (GG)
- Domain local groups (DLG)
Local Security Group
We were demonstrating how to manage the creation and automation of Active Directory security groups and distribution lists before we realized that we had no idea what the differences were between the types groups: security and distribution groups, and the group scopes: universal groups (UG), global groups (GG), and domain local groups (DLG).
With a little work, we dug out enough info for this cheat sheet on Active Directory groups:
The two Domain Groups consist of Security groups and Distribution groups and within these two groups we have three group scopes which will be discussed next. When creating a new Active Directory group, you will need to choose between a Security and Distribution group as also choose the group scope. You use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources.
Used with care, security groups provide an efficient way to assign access to resources on your network. Security groups have two main functions:
- Assign User Rights
- Grant Permissions to Resources
Assign User Rights
IT administrators can assign user rights to a security group that determines what group members can do. For instance, if a user is added to the Backup Operations security group, he/she will have the ability to restore the files and directories located on every domain controller (DC) in the domain. This is because, by default, the user rights pertaining to ‘Backup files and directories’ and ‘Restore files and directories’ are assigned to the Backup Operations group, and all group members inherit these rights.
Grant Permissions to Resources
By granting permissions to security groups on shared resources, IT administrators allow group members to access the company’s resources, like shared printers, secured folders, and financial records. For example, the Human Resources security group will have access to employees’ data, which is confidential and cannot be shared with other departments.
Security groups can also be used as a distribution group in Exchange. These are known as security-enabled distribution groups or mail-enabled security groups.
Distribution groups are designed to combine users together so that you can send e-mails (via Microsoft Exchange Server) collectively to a group rather than individually to each user in the group. Distribution groups are designed to be used for e-mail specifically and cannot be granted Windows permissions. The terms “distribution groups” and “distribution lists” tend to be used interchangeably, particularly if you work with Microsoft Exchange Server administrators. Don’t let this trip you up!
Group Scopes in Active Directory
When setting up a security or distribution group you will also need to choose a scope for that group so Active Directory knows how to assign the permissions to the resources that group is allowed to access. Groups, whether security groups or distribution groups, are defined by a definition that identifies the scope to which the group is applied in a domain or forest.
There are three group scopes in active directory: universal, global, and domain local.
It can contain users and groups (global and universal) from any domain in the forest. Universal groups do not care about trust. Universal groups can be a member of domain local groups or other universal groups but NOT global groups.
It can contain users, computers, and groups from same domain but NOT universal groups. It can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.
Domain Local Group
It can contain users, computers, global groups, and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain. It can be a member of any domain local group in the same domain.
The short answer is that domain local groups are the only groups that can have members from outside the forest. And use global groups if you have trust, universal groups if you don’t care about trust. There are also local groups. These groups are created in the local Security Accounts Administrator (SAM) database on the specific computer. The difference from domain groups: local groups work even if the domain controllers cannot be contacted.
Read More: Active Directory Groups Best Practices
Universal Groups vs Domain Local Groups vs Global Groups
Following differences between Group Scopes are generally defined, but they may be subjective to each use case.
Uses of Universal Groups
Group Consolidation Spanning Across Domains
Universal Scope groups are used for consolidating groups across domains. The best practices recommended to consolidate groups are as follows:
- User accounts are added into groups with global scope
- Same active directory groups are then nested under universal scope groups
Using the above two steps prevents any change in groups with universal scope even with the change in users’ memberships within groups with global scope. Moreover, adding or removing a user in a group triggers replication at different levels depending upon the type of group. For example:
- Adding or Removing a User in a Universal group triggers replication across the forest-wide.
- Adding or Removing a User in Global Group leads to replication at the domain level only
Use Case for Universal Groups
Network with Two Domains – (UG with Two GG as Members)
Consider there are two domains are in a network Asia & United States. A universal group named UMarketing which in turn has two global groups, Asia\GLMarketing and US/GLMarketing as its members belong to each domain. Replication will not trigger in Universal Group UMarketing due to any change in memberships of individual Global Scope Groups Asia\GLMarketing and US/GLMarketing.
However, linked-value replication (associated with a change in Domain linked attribute) leads towards replicating the change in attributes of universal groups (modified membership) only into global catalogue server, provided that the windows server 2003 or higher is a forest’s functional level.
Uses of Global Groups
Arranging User Objects with Similar Activities
User Objects within Active Directory can be arranged in Global Groups based on similarity in job activities (similar attribute) such as Accountants in Accounting Department. Criteria for organizing users can involve departments, positions, and job activities.
Managing Objects Requiring Daily Maintenance
Global groups are employed in active directory to manage user accounts and computer accounts requiring daily Maintenance since changing such accounts in global groups would prevent any replication to global catalogue.
Consolidating Rights & Permissions Across Domains
Global groups are employed in active directory to manage user accounts and computer accounts requiring daily Maintenance since changing such accounts in global groups would prevent any replication to the global catalogue.
Use Case for Global Groups
Network with Two Domains – (GG with Permission in a Domain)
Consider a network with two domains Asia and United States. In Asia, we have a group with global scope USA/GGMarketing. Considering GGMarketing groups have certain rights and permission associated with them in the USA domain and we want to provide user members in those groups with the same rights and permission in Europe as well. To achieve that, we will create GGMarketing in the Europe domain as well. Thus, applying such a group in the European domain is an example of logical groups management.
When to Avoid using Global Groups?
The use of global groups for assigning access to resources that are domain-specific is not recommended since global groups are visible across the forest. For this use case, domain local groups are recommended to use.
Uses of Domain Local Groups
Uses of domain local groups involve:
- Assigning Access to Permissions
- Making any Changes in the Access List of a Resource
Domain local groups would also include other groups to enable other members to get permissions that the group has assigned.
Use Cases for Domain Local Group
Managing Resource Permissions
Domain local scope groups enable IT in defining and managing access to resources in a single domain. All user accounts can be added to a list of resource permissions. Let’s consider different use cases.
Assigning Access to an Existing Printer
IT Admins are interested in assigning access to all given users to a particular resource such as a specific printer in the organization.
Assigning Access to Same Users to a New Printer
If IT admins are interested in assigning access to the same users to a new printer in the organization, these given users will be required to be added to the list of new printer’s permissions again.
Such access management of resources can be managed with adequate planning by creating active directory groups with a domain local scope and giving it permission to access a resource such as a printer. So, adding five user objects in an active directory group with a global scope, and then adding that group to domain local scope groups, with assigned permissions of domain local scope for accessing new printer, would enable users to access it. Hence, access to a new resource (printer) is automatically assigned to members of an active directory group.
Changing Group Scope in Active Directory Groups
You can change the scope or type of directory groups, but there are several conditions as follows:
Conditions to Change Group Scope in Active Directory
Convert Global Security Group to Universal Group
You can convert a global security group to a universal if the group is not part of another global group.
Convert Domain Local Group to Universal Group
You can convert a local domain group to a universal group if another local domain group is not added to list of its members.
Convert Universal Group to Domain Local Group
A universal group can be converted to a local domain group without any restrictions.
Convert Universal Group to Global Group
A universal group can be transformed into a global if it doesn’t contain another universal group as a member.
Built-in Active Directory Security Groups
Default or Built-In Active Directory security groups are automatically created on the servers running Windows OS. The following are the well-known default security groups:
- Backup Operators
- Remote Desktop Users
There are some additional groups that are formed in Built-In and Users containers of a domain, such as:
- Domain Admins
- Enterprise Admins
- Schema Admins
Below each of these well-known default security groups are defined:
Administrators, a default active directory group has control over all domain controllers and associated data. Such groups can modify memberships of other Active Directory default groups such as Domain Admins, Enterprise Admins, and Schema Admins.
Backup operators are primarily responsible for backing up and restoring all files on a computer, irrespective of permissions concerning those files. Such active directory groups can’t be:
Backup operators can also backup and restore domain controllers. Memberships of Backup Operators Active Directory groups can be changed by the following ad group types:
- Default Service Administrators
- Domain Admins in the Domain
- Enterprise Admins
Members of the Backup operator’s group do not have the ability to:
- Modify server settings
- Change directory configuration
However, such group members do have the ability to replace files such as OS files on DCs.
Remote Desktop Users
Remote Desktop Users refers to a group designated to provide users and groups rights to initiate a remote session to an RD session host server. This group can’t be:
Remote Desktop Users appear as SID unless the following two conditions are met:
- DC is identified as a principal domain.
- FSMO role is assigned to it.
This group is added to the domain’s Administrators group. As a result, it inherits all the Administrators group’s capabilities. It’s also assigned to the local Administrators group of each domain member computer by default, allowing Domain Admins full control over all domain computers.
Enterprise admins Active Directory group has full access to all domain controllers and it is a member of the Administrators group. Moreover, it owns a directory configuration partition along with control for domain naming context.
This default Active Directory group controls and owns schema of Active Directory.
Uses of Built-In/Default Active Directory Groups
Such pre-defined groups in Active Directory can be used in the following two ways:
- Managing Access to Resources
- Allocate Administrative Responsibilities
In default security groups within an Active Directory domain, users’ accounts are assigned certain privileges enabling them to follow perform tasks:
- Sign-on to the local system
- Gain network access to specific files and folders
- Backup such files and directories
EXAMPLE: An example of such privileged access would be a group named Back up Operators, which would have access to backup files and folders across domain controllers within a specific domain. Hence, when you add a user to a group, the user inherits all the group’s user rights as well as all the group’s permissions for any shared resources.
Default groups can be found in the built-in container and the user’s container in Active Directory Users and Computers in the following way:
- Groups defined with Domain Local Scope are found in the Built-in container.
- Groups defined with Global scope and Domain Local scope are included in the Users OU (Organizational Unit).
Movements of such groups within these containers are only limited to other groups or OUs (Organizational Units) within domains.
Changing Permissions on Built-In Administrator Groups
Objects within Active Directory employ security descriptors for controlling access. Security descriptors are primarily used to store information regarding permissions. A background process is initiated periodically to apply a security descriptor to protect groups such as administrative groups along with members within those groups. Any unauthorized attempt to edit such descriptors with respect to groups will be overwritten.
The AdminSDHolder object contains the security descriptor. If we are looking to change the permission on any of the administrator’s groups, it is considered important that we change the security descriptors on AdminSDHolder. However, it is also essential to be cautious while making those changes since we are modifying settings across protected administrators’ accounts.
GroupID by Imanami offers a suite of solutions that empowers IT professionals to manage groups, users, and entitlements effectively and automatically. Learn more about the suite of solutions under GroupID.