Active DirectoryMicrosoft Technologies

Active Directory Groups

I am sure every on who uses active directory heard about the groups. Even in stand-alone pc you can see set of groups. But it is important to know how these groups are working and what each type of groups really do.

In windows server 2012 have two types of groups in place.

Distributed Group – This is non-security related group and purpose of it to distribute information to a group of resources. These can use by AD aware applications for example, Microsoft Exchange to distribute email.

Security Group – This is security related group for granting access permissions to group of users in to resources. For example this group can use to assign permissions to a network share.

grp1

Group Scope

Apart from the group types we can define the boundaries for the groups. We can use it to current domain or extend to use different domains as well.

There are 3 types of group scope levels.

Domain Local

This group can have any of the following resources assigned.

•    User Accounts
•    Computer Accounts
•    Universal Groups
•    Domain Local groups from the same domain
•    Global Groups from the forest

This limits the group scope in to the same domain.

Global Group

This group can have any of the followings resources,

•    User Accounts
•    Computer Accounts
•    Other global groups from same domain

Using this you can use the group to assign permission to any resources in the forest. It can be either same domain or different domains. But the group membership are only replicated to domain controllers in same domain.

Universal Group

This can have the following resources

•    User accounts
•    Computer accounts
•    Other universal groups
•    Global Groups

This can use with any domain in the forest and also can use between trusted sites. Universal groups are stored in global catalog servers. So any changes to group membership will replicate to all GC servers in the forest.

grp2

Nested Groups

This is one of the nice features we can use for permission delegation. You can make a group in to member of another group. For ex- if you create a group for IT department it can be a member of “All Staff” user group.

If you have any questions about the post feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *