question

47451047 avatar image
0 Votes"
47451047 asked 47451047 answered

Using Active Directory groups

Hello. Can you explain to me in more detail, with examples, where and when I should use any Active Directory group? Where and when do I use local, global, universal? What is the case when I have to grant access somewhere in a trust relationship?

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered 47451047 commented

Active Directory Security Groups are use to give permission to a user / computer to another resource.

Here the different group type:

AD Local Groups:
This group can have members from it's own domain or any trusted domain

AD Global Groups:
This group can have members only from it's own domain. It could be a user / computer or a global group from it's own domain

AD Universal Groups:
Tis group can have members from it's own domain or any trusted domain. But compare to AD Local Groups, the Universal groups can be member of any AD local groups / AD Universal groups of other trusted domains

If you plan to have more than 1 domain in your forest or you plan to have trusts with other domains / forests. Then it's important to have a good security model for your AD groups.

In the other hands, if you think that you will never have a trust with another domain, the type of groups does not change anything.

Microsoft approach on the group management is ADGLP (or UGLP)
Accounts into globals, Globals into Domain Locals, assign Permissions

So Users should be member of a Global Group, The Global Group member of a Local Group and you assign permissions using the Local Group.


One thing you have to remember before thinking at a massive security model implementation --> Read the KB Article KB327825

A user or a computer cannot be member of more than ±1015 groups (nested groups counts in...)
If you broke this limit, you cannot log into your computer... final ;)

Another thing is the Token bloat. Which is not very common today because of the SID compression. But still accurate if you still have Windows 2008 R2 DC's and lower.



hth

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello.

I think I'm beginning to understand. But I lack practical examples.

  1. I am not able to add to the universal group, group or participants from another domain with a trust relationship. Only the local one sees the other trusted domain.

  • Can you give me a couple of examples of where and when the groups would apply ?

  • I have read, local groups are correct to apply to join a department. Let's say accounting or it department.

  • Global groups include local groups and are used to access resources.

  • Universal to combine groups from other domains, with a trust relationship. But I have now created a universal group and it does not see other domains.

I don't understand how to build the structure correctly.

0 Votes 0 ·
yagmoth555 avatar image
0 Votes"
yagmoth555 answered

Hi

I will quote an article;

About Active Directory groups

Groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration.

There are two types of groups in Active Directory:

  Distribution groups Used to create email distribution lists.
  Security groups Used to assign permissions to shared resources.

Security groups

Security groups can provide an efficient way to assign access to resources on your network. By using security groups, you can:

  Assign user rights to security groups in Active Directory.
  User rights are assigned to a security group to determine what members of that group can do within the scope of a domain or forest. User rights are automatically assigned to some security groups when Active Directory is installed to help administrators define a person’s administrative role in the domain.
  For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights Backup files and directories and Restore files and directories are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group.
  You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see User Rights Assignment.
  Assign permissions to security groups for resources.
  Permissions are different than user rights. Permissions are assigned to the security group for the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions that are set on domain objects are automatically assigned to allow various levels of access to default security groups, such as the Account Operators group or the Domain Admins group.
  Security groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account that is added to a group receives the rights that are assigned to that group in Active Directory, and the user receives the permissions that are defined for that group.

Like distribution groups, security groups can be used as an email entity. Sending an email message to the group sends the message to all the members of the group.



For explanation on the group scoop, global, universal, etc... please see the full article there, it's well wrote;

Active Directory Security Groups



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

47451047 avatar image
0 Votes"
47451047 answered

Local groups are needed to grant rights to resources.
Global groups unite departments.
Universal - used when there is more than one domain in the forest.

  • And how to do when you need to grant access to resources of another domain in another forest with trust relationship?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.