Вы находитесь на странице: 1из 11

Groups in Active Directory I

Saturday, March 1, 2014

The topic of groups in Active Directory has always been misunderstood by a large number of people, this I say based on
my experience with clients and students in my classes on this topic. So what I intend with this article is to try to explain the
subject in the clearest and simplest way possible, hopefully it will! and if you succeeded please let me know with a
comment at the end of this article.

I'll start by asking the first question I always ask in my classes. When do you create a group which of the following options
do you choose?

As you can see in the image above, it is the default values that are selected, the funny thing is that most people type the
name of the group they click on accept, and that's it!

Well, it really works, and the objective of the newly created group is fulfilled, but when you ask a question like what happens
if you change it to Universal or Local domain? Probably before this question many do not know to answer, and it is precisely
that objective of this article, to clarify each of the options we have when creating a group, and above all to clearly understand
the option we activate at the moment of creation, but not only that, during the tour I will talk about best practices and clarify
any topic related to groups and their administration.

Group-based permissions

A first and important recommendation before starting, is that you become accustomed to grant access to resources based
on security groups, that is, to avoid giving maximum permissions to individual users, why ?, because if we give access to
users and in some moment of time the user is removed from the directory, we will observe that in the resources where we
grant permissions to this user simply does not disappear from there, instead we will see their security identifier or SID, at
this moment is when we talk about SID ghosts, Let's look at an example.

1. We give permissions to a user named John Smith in a folder called Documents on local disk C:
2. After the time, John Smith retires from the organization, so his account is removed from the directory, when we return to
the security tab of the Documents folder we will see the famous Ghost SID, surely many have seen it, and maybe others
will have wondered what will this be? they already know.

For this to happen, and as a good practice, we always grant permissions to groups rather than to individual users, since
groups usually refer to functions, for example, we have a group called Sales of which John Smith is a member, for the
permissions in the Documents folder we put the Sales group in place of the user John Smith, thus eliminating the user
John Smith, the Sales group will continue to appear in the security tab, the user John Smith to be eliminated will also be
the group Sales.

By working in this way, administration will be facilitated, since we do not have to be "debugging" the access control lists.

Default Groups

In Active Directory, there are a number of default groups, that is, they are created during the installation of domain
services, and it is important to know what they are and where they are located.

Where are these default groups? In the Builtin and Users containers

important characteristics of these two containers.

Builtin

the groups in this container have local scope remember the introduction to this article ?, for now we do not have to worry
as we will see what this area is about. The scope and type of groups here can not be changed, for example
the Administrators group
As you can see in the picture, the Group Scope and Group Type options are disabled.

None of the groups in this container can be deleted, it is even not even given the option, it is also possible to change the
default name.

Some groups that we can find in this container: Administrators, Operators of backup, Opers. of accounts, Opers. of
servers, Opers. Print, Remote Desktop Users, Guests.

Users

The Users container has groups of different scopes: Local, Global and Universal Domain, it also contains some integrated
accounts, such as: Administrator, Guest and krbtgt.

Unlike the Builtin container, existing groups and accounts can be moved to another container or Organizational Unit.

The scope and type of group in this container can not be modified either.

None of the groups in this container can be deleted, although the option is enabled, if you try to do so you will receive the
following message:

The default name of the groups in this container is possible to change it, unlike the Builtin container, in the following
image I have renamed the Admins group . of the domain

Some groups that we can find in this container: Enterprise Administrators, Schema Administrators, Admins. of the
domain, Users of the domain.
Groups in Active Directory II
Sunday, March 2, 2014

Well, in our first part we saw an overview of the groups in Active Directory, if you do not know it you can review it before
continuing with this second part.

In this part we will try to clarify the most important doubts that arise regarding groups in Active Directory

There are four areas of group: Local, Local Domain, Global and Universal, the areas of group have characteristics
within which each of the areas of group mentioned are framed, much attention to them, depends largely on it
understanding of the subject.

Replication: This is where the group is defined and which systems can be replicated.

Membership: This is what types of objects a group can have as members, and for example if they can contain members
of other domains.

Visibility: As the name implies, from where the group can be seen for example being added to the access control list of
some resource.

Now let's do an analysis of each of the existing group scopes in Windows, taking into account the characteristics
mentioned.

Local scope:

Replication: These groups only exist in the Account Database (SAM) where they were defined, do not exist in Active
Directory, and are not replicated to any other computer.

Membership: A local group can contain the following objects as members:

 Users, Computers, Global Groups , or Local Domain Groups


 Users, computers, and global groups of any domain in the forest
 Users, Computers, and Global Groups of Any Trusted Domain
 Universal groups defined in any forest domain

Visibility: A local group is visible only from the same team.

Scope Local Domain:

Replication: A local domain group is defined in the domain naming context in the NTDS.dit Active Directory database,
the group and its members are replicated on all domain controllers in a domain

Membership: A local domain group may include the following members.

 Users, Computers, Global Groups , or Other Local Domain Groups


 Users, computers, and global groups of any domain in the forest
 Users, Computers, and Global Groups of Any Trusted Domain
 Universal groups defined in any forest domain

Visibility: A domain local group can be added to any access control list of any resource on any computer in the same
domain, these groups can also be members of or thers local domain groups and local groups.

If we look closely at the characteristics of the groups that have the word "local" we see that
their Replication and Membership characteristics are the same, the only difference between the two is visibility,
since the one Local group can not be "seen" from anywhere other than our machine, while the local
Domain group can be "seen" from any computer in the same domain.
Global Scope:

Replication: A global group is defined in the domain naming context, the group including its members, is replicated to
all domain controllers in the same domain.

Membership: A global group may contain the following members:

 Users, Computers, Global Groups , or Other Global Groups in the Same Domain

Visibility: A global group is visible from all domain member computers, also by other domains in the forest, as well as by
any other external forest with which you have a trust relationship. A global group can be a member of any local or
universal domain group in the domain or in the forest, it can also be a member of any local domain group in a
trusted domain. In conclusion, a global group can be added to the access control list of any resource in the domain, in
the forest, or in trusted domains.
Important: If we look closely, a global group has a limited membership but only global groups, but its Visibility is the
widest since it is visible from all domains of the forest and any other with which we have a relationship of trust.

Universal scope:

Replication: A universal group is defined from a single domain in the forest but is replicated in the global catalog,
objects found in the global catalog are visible from anywhere in the forest.

Membership: A universal group may contain the following objects as members:

 Users, global groups , and other universal groups of any domain in the forest

Visibility: A universal group can be viewed from any domain in the forest, can be a member of other universal or local
domain groups, this group is especially useful for granting access throughout the forest.

The following table summarizes all of the above:

Exam 70-640: TS: Windows Server 2008 Active Directory, Configuring (2nd Edition), Microsoft Press

Well, the above theoretically may seem very nice, but how does this apply in the real world ?. We will see it later in
another installment.
Groups in Active Directory III
Saturday, March 8, 2014

In the previous article , we have clarified the group scopes in Active Directory, now we are going to explain that other part
that appears when we create a group, and it is the type of group.

We have two types Security and Distribution the difference between these two types of group is simple, when we
choose the group type "security" means that we can use the group created to assign permission to any resource, while the
distribution group is used only as a list of recipients for the shipment those who have worked with Exchange will already
know this type of group, however someone who is not probably still wondering the difference in these two types of group,
however, it is important to keep in mind that having a group security does not mean that we can not use it as a distribution
list, but it is a better practice to use a distribution type group if we know that we will only use it for it, ie; we will not use it to
grant permissions on resources.

Let's see a specific example of this difference, we are going to create the following two groups with fairly descriptive names.

Already with these two groups created we will try to give permissions to each one in a folder of a server. Let's start with
the security group.

As you can see in the image, we were able to add without any problem the group Security that is of type "security" to the
access control list of the folder C: \ Docs Folder

Now, let's try the same thing but with the distribution group, but we'll get the following message:
This means that we can not find the distribution group that we create, with this we can understand the clear difference
between the two types of group.

Well I hope with this brief explanation the subject of the type of group has been understood.

Now if we can enter a little more in matter, since we have seen in the previous article the areas, it is time to begin to
understand how this is used in real life, and I can start by saying that these areas are used to manage the access to the
level of an entire Active Directory infrastructure, and also very important is to build a role-based access environment better
known as Role Based Access Control (RBAC) , and to do so is important the theory discussed in the article previous.
Groups in Active Directory IV
Sunday, March 9, 2014

Continuing with the series of articles dedicated to the groups in Active Directory, in this installment we will discuss the
strategy for the creation of groups, for which I recommend to have read the 3 previous deliveries where we clarify
important concepts with respect to the groups in Active Directory.

For this delivery it is particularly important to be clear about the concepts discussed in the previous articles

In this delivery we will review the recommended strategy when it comes to working with groups, if we follow this strategy to
the letter, we will face a solid structure and scalable groups, we often create groups thinking that things will remain as they
are , we rarely think of things like what would happen if the company grows to the point of having many users, several
geographical locations, several domains, and even several forests, not having this present we create groups without
thinking about it, but if for some reason the company's conditions change and arrive such as mergers with other
organizations or the need to create more domains,it is up to that time that Active Directory infrastructure managers
understand that groups as they were created from the outset do not support the current business needs, and it is until then
that they begin to investigate how groups work in Active Directory, The theory of this delivery tries to explain the strategy
that must be followed in any Active Directory domain regardless of its size, so we have only one domain, so we are an
SME, we must always keep in mind this strategy that also reflects the proper design of a Active Directory infrastructure.the
theory of this delivery tries to explain the strategy that must be followed in any Active Directory domain regardless of its
size, so we have only one domain, so we are an SME, we must always keep in mind this strategy that also reflects the
proper design of an Active Directory infrastructure.the theory of this delivery tries to explain the strategy that must be
followed in any Active Directory domain regardless of its size, so we have only one domain, so we are an SME, we must
always keep in mind this strategy that also reflects the proper design of an Active Directory infrastructure.

The strategy is known as IGDLP ( I dentities, G lobal, D ominio L ocal, P ermisos), these acronyms are used to make
it easy to remember how to create and use groups in Active Directory, strategy, we must remember what each of the letters
of the acronym means, let us begin then:

Note: This strategy is also known as AGDLP or UGDLP

1. We must take the first letter, ie the ( I ) that refers to Identities that can be users, groups or teams, in this case we will
do with a user object.

We have our user named User1, clearly in the real world you will have many more users to add to the groups ;-)

2. We go to the second letter of the abbreviation ( G ), it refers to a Global Group, which means that that user that we
create must make it member of a global group, attention with this has to be global or Local or Universal Domain enter
here, hence the letter G of the acronym.

However, the recommendation is that global groups should be used to define business functions , that is; Ideally, the
global groups that we use receive names such as: Sales, Financial, Engineering, Accounting, etc.

In that order of ideas, we will create a group called Sales (remember must be Global)
Well, now that we have created our Global group called Sales, we will add our user created in step 1 to the newly
created group, and the strategy according to its initials goes so far:

IG we lack the DLP

Let's review, we simply have a user as a member of a global group, and the global group in its name defines a function of
the company

3. Well, now we go with the initials DL that mean Local Domain, which means that we must create a group of this
type.

The recommendation is that the local domain groups according to the strategy should be used to grant permissions on the
resources, for that reason the way of naming them should refer to what their members can do on a given resource. For
example: we may need a group to grant read only access to the users of the sales department, so an appropriate name for
this group could be: SalesLocation Local domain scope .

Now, as we know that group will use it to grant read-only access to the sales team to any resource, simply add
the Sales group created in step 2 as a member of the group Sales_Lectura
And so we have already completed the strategy so far: IGDL (we only need the P )

4. Well, now let's go with the P, we already have our local domain group, and the recommendation of the strategy, is that
whenever we are going to grant permissions we do it through local domain groups, such as the one we just created , in
that order of ideas we will grant access in a folder of a server, hence the Permissions P.

As you can see in the previous image, we have granted read-only permissions to the group Sales_Lectura on a folder
called Sales Documents.

In this way we have completed the IGDLP strategy .

Always keep in mind when creating groups. In short we have:

 Always create global groups that define business functions


 Create local domain groups only to give permissions
 Local domino groups must be members of global groups
 We grant permission to the local domain group

However, the reason for using a local domain group to grant permissions is that because the domain's membership is
wide at the forest level and even other domains with which a trust relationship exists, we can grant access to users in any
place, whereas if we get to use for example a global group, as we have seen their membership is limited, only global
groups of the same domain, this makes it impossible to add users from other domains to grant permissions, the following
image graphically summarizes the strategy.
Well, the strategy so far works as long as you have a single domain, but if we have a forest with several domains the
strategy will have an additional component, and they are the universal scope groups, and then the name of the strategy
changes to give cavity to universal groups and is renamed IG U DLP, we simply add a U, which means that the Global
group must then make it a member of a Universal group so that it is visible throughout the forest, as we have seen in the
second delivery.

http://www.cesarherrada.com/2014/03/grupos-en-active-directory-iv.html

Вам также может понравиться