Group Summary

A group is used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with groups instead of individual user accounts helps simplify network maintenance and administration. For instance, users in a group receive all the user rights assigned to the group and all the permissions assigned to the group on any shared resources.

Like user accounts, there are both local and domain groups.

  • Local groups exist only on the local computer and control access to local resources.
  • Domain groups exist in Active Directory and can be used to control access to domain and local resources. Enterprise environments primarily use domain groups to implement user management.

In addition to the group scope, there are two types of groups:

Group Type Description
Security A security group is one that can be used to manage rights and permissions.

  • Group members receive the permissions that are granted to the group.
  • A security group represents an object with a security identifier (SID). Through the member attribute, other objects such as users, computers, contacts, and other groups become members of the security group.
  • A security group can be added to the Security tab of an object.
Distribution A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions.

Active Directory groups have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.

Group scope Membership Resource Access
Local Local groups can contain members only from the local computers or member servers. These include:

  • The local users group.
  • The local administrators group.
  • A local operators group.
Local groups can be assigned permissions on the local client to group together rights and permissions.Create local groups representative of the resources to which you want to control access, and then assign permissions on the resource to the group.
Domain Local Domain local groups can contain members from any domain in the forest. These include:

  • Domain local groups in the same domain.
  • Global groups within the forest.
  • Universal groups within the forest.
  • Users and computers within the forest.
Domain local groups can be assigned permissions within a domain.Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.
Global Global groups can contain members within the same domain. These include:

  • Global groups in the same domain.
  • Users and computers within the same domain.

Use global groups to group users and computers within the domain who have similar access needs.

Global groups can be assigned permissions to resources anywhere in the forest.Create global groups to organize users (e.g., Sales or Development).
Universal Universal groups can contain members from any domain in the forest. These include:

  • Universal groups within the forest.
  • Global groups within the forest.
  • Users and computers within the forest.
Universal groups can be assigned permissions to resources anywhere in the forest.Universal group membership should be relatively stable. For this reason, you should add only global or other universal groups to universal groups. Avoid adding user accounts directly to universal groups.

Group membership is an attribute of a group. To query for group members:

  • Using a DS command, enter dsget at the command line and specify the group name and other parameters. For example, to get the full name of each member of the salesusers group in the sales OU in datacoincide.com, enter:

    dsget group “cn=salesusers,ou=sales,cd=datacoincide,dc=com” -members -expand

  • Using PowerShell, enter get-adgroupmember and the name of the group. For example, to get the full name of each member of the salesusers group in the sales OU in datacoincide.com, enter:

    get-adgroupmember salesusers

    To get the users’ names and their SAM account names piped into a table format, enter:

    get-adgroupmember salesusers | FT name,samaccountname

Be aware of the following when managing groups:

  • The basic best practices for user and group security are:
    • Create groups based on user access needs.
    • Assign user accounts to the appropriate groups.
    • Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network.
  • After creating a group, you may need to convert the group’s scope and/or type.
    • Converting a security group to a distribution group removes permissions assigned to the group. This could prevent or allow unwanted access.
    • You cannot directly convert a group from global to domain local or domain local to global. Instead, convert the group to a universal group and apply the changes, then convert the group to the desired scope.
    • If a global group is nested in another global group, the nested global group cannot be converted to a universal group because a universal group cannot be a member of a global group.
  • To add or remove members of a group, use one of the following methods:
    • On the group object, edit the Members tab and add the group members. Use this method to efficiently add multiple members to the same group.
    • On the user account, edit the Members Of tab and select the group to which you want to add the user. The Member Of tab displays all of groups to which the object is a member. Use this method to efficiently add a single user to multiple groups.

    Because a group can be a member of another group, a group object also has a Member Of tab. Adding objects to the Member Of tab for a group makes the group a member of another group (it does not add members to the group).

  • When you delete a group, all information about the group (including any permissions assigned to the group) is deleted. User accounts, however, are not deleted. They are simply no longer associated with the group. If you delete the group, use one of the following strategies to recover it:
    • Recreate the group, add all the original group members, and reassign any permissions granted to the group.
    • Restore the group from a recent backup.
  • Microsoft recommends using the AGDLP strategy for creating and managing groups. The goal of AGDLP is to create role-based access controls using nested groups. The AGDLP strategy is composed of the following:
    • Accounts (including both users and computers)
    • Global groups (representing specific job functions or roles in an organization)
    • Domain Local groups (used to define resource permissions or user rights assignments)
    • Permissions

    To implement an AGDLP strategy:

    1. Create the necessary user and/or computer accounts.
    2. Create a global group and add the accounts as members.
    3. Create a Domain Local group in the domain that contains the resource you need to grant the accounts access to.
    4. Add the global group as a member of this Domain Local group.
    5. Assign permissions for the resource to the domain local group.
Coaching
© Data Coincide, LLC 2010-2019