Using Active Directory groups

Андрей Михалевский 2,641 Reputation points
2021-09-23T14:25:53.757+00:00

Hello. Can you explain to me in more detail, with examples, where and when I should use any Active Directory group? Where and when do I use local, global, universal? What is the case when I have to grant access somewhere in a trust relationship?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,947 questions
0 comments
Accepted answer
  1. cthivierge 4,056 Reputation points
    2021-09-23T16:20:10.567+00:00

    Active Directory Security Groups are use to give permission to a user / computer to another resource.

    Here the different group type:

    AD Local Groups:
    This group can have members from it's own domain or any trusted domain

    AD Global Groups:
    This group can have members only from it's own domain. It could be a user / computer or a global group from it's own domain

    AD Universal Groups:
    Tis group can have members from it's own domain or any trusted domain. But compare to AD Local Groups, the Universal groups can be member of any AD local groups / AD Universal groups of other trusted domains

    If you plan to have more than 1 domain in your forest or you plan to have trusts with other domains / forests. Then it's important to have a good security model for your AD groups.

    In the other hands, if you think that you will never have a trust with another domain, the type of groups does not change anything.

    Microsoft approach on the group management is ADGLP (or UGLP)
    Accounts into globals, Globals into Domain Locals, assign Permissions

    So Users should be member of a Global Group, The Global Group member of a Local Group and you assign permissions using the Local Group.

    One thing you have to remember before thinking at a massive security model implementation --> Read the KB Article KB327825

    A user or a computer cannot be member of more than ±1015 groups (nested groups counts in...)
    If you broke this limit, you cannot log into your computer... final ;)

    Another thing is the Token bloat. Which is not very common today because of the SID compression. But still accurate if you still have Windows 2008 R2 DC's and lower.

    hth

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Андрей Михалевский 2,641 Reputation points
    2021-09-28T07:22:35.91+00:00

    Local groups are needed to grant rights to resources.
    Global groups unite departments.
    Universal - used when there is more than one domain in the forest.

    • And how to do when you need to grant access to resources of another domain in another forest with trust relationship?
    1 person found this answer helpful.
    0 comments
  2. Philippe Levesque 5,691 Reputation points MVP
    2021-09-23T14:37:24.237+00:00

    Hi

    I will quote an article;

    About Active Directory groups

    Groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration.

    There are two types of groups in Active Directory: 

    Distribution groups Used to create email distribution lists.    

Security groups Used to assign permissions to shared resources.

    Security groups

    Security groups can provide an efficient way to assign access to resources on your network. By using security groups, you can: 

    Assign user rights to security groups in Active Directory.    

User rights are assigned to a security group to determine what members of that group can do within the scope of a domain or forest. User rights are automatically assigned to some security groups when Active Directory is installed to help administrators define a person’s administrative role in the domain.    

For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights Backup files and directories and Restore files and directories are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group.    

You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see User Rights Assignment.    

Assign permissions to security groups for resources.    

Permissions are different than user rights. Permissions are assigned to the security group for the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions that are set on domain objects are automatically assigned to allow various levels of access to default security groups, such as the Account Operators group or the Domain Admins group.    

Security groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account that is added to a group receives the rights that are assigned to that group in Active Directory, and the user receives the permissions that are defined for that group.

    Like distribution groups, security groups can be used as an email entity. Sending an email message to the group sends the message to all the members of the group.

    For explanation on the group scoop, global, universal, etc... please see the full article there, it's well wrote;

    Active Directory Security Groups

    0 comments