GitHubFacebookLinkedin

📑AD Groups

Idea of AD Groups ?

What is AD Groups ?

An Active Directory Group is a logical object in Active Directory used to manage a collection of users, computers, or other groups for the purpose of simplifying administration, access control, and policy application. Groups allow administrators to assign permissions, distribute policies, or manage resources efficiently by applying settings to the group rather than individual objects.

Key characteristics of AD Groups

  • Logical Collection: Groups are containers that hold multiple objects (e.g., users, computers, or nested groups) to streamline management tasks.

  • Security and Distribution: Groups can be used for security purposes (granting access to resources) or distribution purposes (email distribution lists).

  • Scope: Groups have a defined scope (domain-local, global, or universal) that determines their visibility and usage within a domain or forest.

  • Membership: Groups can include users, computers, or other groups from the same domain or, in some cases, across domains in a forest.

Components of Active Directory Groups

To understand AD Groups, let’s Deep Dive into their key components and related elements:

  1. Group Types

    AD Groups are categorized into two main types based on their purpose:

    • Security Groups:

      • Purpose: Used to manage access to resources (files, folders, printers) and assign permissions.

      • Functionality: Can be assigned permissions in Access Control Lists (ACLs) and linked to GPOs for policy application.

      • Example: The SalesTeam security group is granted read/write access to a shared folder.

      • Dual Use: Security groups can also function as distribution groups for email if mail-enabled in environments like Microsoft Exchange.

    • Distribution Groups:

      • Purpose: Used only for email distribution (Sending emails to multiple users at once).

      • Functionality: Cannot be used for permissions or GPO assignments; primarily used with email systems like Exchange.

      • Types of Distribution Groups

      Type

      Description

      Use Case

      Standard Distribution Group

      Basic email list with static members.

      Sending newsletters to a fixed group.

      Dynamic Distribution Group

      Membership updates automatically based on AD attributes (e.g., department, location).

      Emails all "Sales" users without manual updates.

      • Example: The AllEmployees distribution group sends company-wide announcements via email.

      • EAllEmployees@company.com → Sends emails to every employee.

  2. Group Scopes

    Groups have one of three scopes, which determine their visibility and usage within a domain or forest:

    • Domain-Local Groups:

      • Scope: Visible only within the domain where they are created, Give permission for only resources Within the Domain it Was created in.

      • Membership: Can include users, computers, or groups from any domain in the forest (or trusted domains).

      • Use: Typically used to assign permissions to resources within the same domain(Local Domains).

      • Example: Group named DL_FileAccess in example.com grants access to a local file server and includes members from sales.example.com.

      • If you create DL_Finance_Printers in DomainA, it cannot grant permissions to resources in DomainB Only Resources or in DomainA.

      • They are used to manage access to local resources (shared folders, printers, applications).

    • Global Groups:

      • Scope: Visible across the entire forest but can only include members from the same domain OR Can be assigned Permissions to resources in any domain in the forest or trusted forests.

      • Membership: Limited to users, computers, or other global groups from the same domain OR Can only be from the same domain where the Global Group is created.

      • Use: Often used to organize users or computers for broader access across domains.

      • Example: Group named G_SalesUsers in sales.example.com contains all Sales users and is added to a domain-local group in example.com for resource access.

    • Universal Groups:

      • Scope: Visible across the entire forest and stored in the global catalog and used mainly in multi-domain environments.

      • Membership: Can include users, computers, or groups from any domain in the forest.

      • Use: Main usage is to group Users, computers, global groups, and other universal groups from any domain in the same Forest and Can be assigned permissions to Resources in any domain in the forest.

      • Example

        You have two domains:

        • cairo.company.com

        • dubai.company.com

        There are Sales users in both domains. You want to:

        • Group them together

        • Give them access to a shared app in a third domain (apps.company.com)

        Solution:

        1. Create a Universal Group: Sales_All_Universal

        2. Add users from cairo and dubai domains to this group

        3. Grant access permissions to Sales_All_Universal on the application in apps.company.com

        4. Done. One group, cross-domain members, access granted anywhere.

  3. Group Membership

    • Members: Groups can contain users, computers, contacts, or other groups (nested groups).

    • Nesting: Groups can be nested to create hierarchical relationships, simplifying management.

      • Example: The G_SalesUsers global group is nested within the DL_FileAccess domain-local group to grant permissions.

    • Membership Rules

      • Domain-local groups can include members from any domain in the forest or trusted domains.

      • Global groups are limited to members from the same domain it was created from.

      • Universal groups can include members from any domain in the forest.

      • Dynamic Groups (in modern AD environments): Membership can be defined by rules (all users with a specific attribute, like department=Sales), available in Azure AD or with third-party tools also that to Support Role Based ACL for Identity management across Environment.

    • Distinguished Name (DN)

      • Definition: The unique identifier for a group, based on its location in the domain and OU hierarchy.

      • Format: Uses LDAP notation, with CN (Common Name) for the group name, OU for Organizational Units, and DC for Domain Components.

      • Example: A group SalesTeam in the Groups OU of sales.example.com has the DN:

      CN=SalesTeam,OU=Groups,OU=Sales,DC=sales,DC=example,DC=com

    • Security Identifier (SID)

      • Definition: A unique identifier assigned to each group, used by Windows for security operations (access control).

      • Role: SIDs are included in access tokens during authentication to determine permissions.

      • Example: When a user in SalesTeam accesses a folder, the group’s SID is checked against the folder’s ACL.

    • Active Directory Database

      • Storage: Groups are stored in the domain’s AD database (NTDS.dit) as objects in the domain naming context.

      • Replication: Group objects and their attributes (membership) are replicated among domain controllers in the same domain.

      • Global Catalog: Universal groups and their membership are replicated to the global catalog for forest-wide visibility.

Logical Structure of Active Directory Groups

The logical structure of AD Groups refers to how they are organized and managed within a domain and how they interact with OUs, domains, and forests. Groups are objects stored within a domain, often placed in OUs for organizational purposes, and their scope determines their role in the AD hierarchy.

  1. Placement in OUs

    • Organization: Groups are typically stored in OUs to align with administrative or functional structures.

    • Purpose: Placing groups in OUs (e.g., Groups OU) simplifies management and allows GPOs to be applied to groups.

    • Example : 

sales.example.com (Domain)
├── Sales (OU)
│   ├── Users (OU)
│   │   └── User: john.doe
│   ├── Computers (OU)
│   │   └── Computer: PC001
│   └── Groups (OU)
│       └── Group: SalesTeam
├── Marketing (OU)
└── IT (OU)

  1. Group Scope and Hierarchy

Hierarchy: Groups can be nested to create a logical hierarchy, following the AGDLP (Accounts → Global → Domain-Local → Permissions) or AGUDLP (Accounts → Global → Universal → Domain-Local → Permissions) strategy for best practices.

  1. GPO Filtering

    • Mechanism: Security groups can filter GPOs linked to OUs, ensuring policies apply only to group members.

    • Example: A GPO linked to the Sales OU is filtered to apply only to the SalesTeam group, excluding other users in the OU.

Groups in the Context of Active Directory Forests

AD Groups are domain-level objects but play a critical role in the broader Active Directory hierarchy, including domains, domain trees, and forests. Let’s explore their integration and interaction.

  1. Groups in the Forest Hierarchy

    • Forest Structure Recap:

      • A forest contains one or more domain trees (e.g., example.com, anothercorp.com).

      • A domain tree contains domains (e.g., example.com, sales.example.com).

      • A domain contains OUs and groups.

      • Groups are objects within a domain, often stored in OUs, with scopes determining their forest-wide role.

    • Example:

Forest
├── Tree 1: example.com
│   ├── example.com (Root Domain)
│   │   ├── Sales (OU)
│   │   │   ├── Users (OU)
│   │   │   └── Groups (OU)
│   │   │       └── Group: SalesTeam (Global)
│   │   └── IT (OU)
│   │       └── Groups (OU)
│   │           └── Group: ITAdmins (Domain-Local)
│   └── sales.example.com (Child Domain)
│       ├── Marketing (OU)
│       │   └── Groups (OU)
│       │       └── Group: MarketingTeam (Global)
│       └── Groups (OU)
│           └── Group: FileAccess (Domain-Local)
└── Tree 2: anothercorp.com
    ├── anothercorp.com (Root Domain)
    │   ├── Finance (OU)
    │   │   └── Groups (OU)
    │   │       └── Group: FinanceTeam (Global)
    │   └── Groups (OU)
    │       └── Group: U_AllEmployees (Universal)

  1. Logical Structure of Groups in a Forest

    • Domain-Level: Groups are created and stored in a specific domain, often within an OU for organization.

    • Forest-Wide Access:

      • Universal groups are replicated to the global catalog, making them available across the forest.

      • Global groups can be nested in domain-local or universal groups in other domains, enabling cross-domain access.

      • Domain-local groups are used for resources within their domain but can include members from other domains via trusts.

  2. Trust Relationships:

    • Groups leverage forest-wide transitive trusts to enable cross-domain access.

    • Example: A user in SalesTeam (global group in sales.example.com) is added to DL_FileAccess(domain-local group in example.com) to access a file server.

  3. Global Catalog:

    • Universal groups and their membership are stored in the global catalog, enabling forest-wide queries.

    • Example: A user searching for U_AllEmployees can find it via the global catalog, regardless of their domain.

  4. How Groups Interact in a Forest

    • Resource Access:

      • Groups enable users in one domain’s OU (Sales\Users in sales.example.com) to access resources in another domain (e.g., a server in anothercorp.com) via nested groups and trusts.

      • Example: G_SalesUsers (global) is nested in DL_ServerAccess (domain-local in anothercorp.com) for server access.

    • Policy Application:

      • Security groups filter GPOs within a domain, not across domains.

      • Example: A GPO in sales.example.com applies to SalesTeam but not to FinanceTeam in anothercorp.com.

Real-World Example

Consider GlobalCorp, a multinational corporation with a forest containing multiple domains and OUs:

  • Forest Structure:

    • Tree 1: globalcorp.com

      • na.globalcorp.com (North America domain)

      • eu.globalcorp.com (Europe domain)

    • Tree 2: acquiredcorp.com

      • hr.acquiredcorp.com (HR domain)

  • Group Example: Within the na.globalcorp.com domain

    • Logical Structure:

na.globalcorp.com (Domain)
├── Sales (OU)
│   ├── Users (OU)
│   │   └── User: john.doe
│   ├── Computers (OU)
│   │   └── Computer: PC001
│   └── Groups (OU)
│       ├── Group: G_SalesUsers (Global, Security)
│       └── Group: DL_SalesFileAccess (Domain-Local, Security)
├── IT (OU)
│   ├── Admins (OU)
│   │   └── Group: G_ITAdmins (Global, Security)
│   └── Groups (OU)
│       └── Group: DL_ServerAccess (Domain-Local, Security)
└── Forest-Wide Groups (OU)
    └── Group: U_AllEmployees (Universal, Security)

Components:

  • Groups:

    • G_SalesUsers: Global security group containing Sales users (john.doe).

    • DL_SalesFileAccess: Domain-local security group granting access to a Sales shared folder, includes G_SalesUsers.

    • G_ITAdmins: Global security group for IT administrators.

    • DL_ServerAccess: Domain-local group granting server access, includes G_ITAdmins and G_SalesUsers.

    • U_AllEmployees: Universal group including users from na.globalcorp.com and hr.acquiredcorp.com for forest-wide access.

  • GPOs:

    • A GPO linked to Sales OU is filtered to G_SalesUsers, applying a CRM configuration.

    • A GPO linked to IT OU is filtered to G_ITAdmins, configuring admin tools.

  • Permissions:

    • DL_SalesFileAccess has read/write access to a Sales folder.

    • DL_ServerAccess has administrative access to a server.

  • DN Example: The G_SalesUsers group has the DN:

CN=G_SalesUsers,OU=Groups,OU=Sales,DC=na,DC=globalcorp,DC=com

  • Functionality:

    • Access Control: Users in G_SalesUsers access a shared folder via DL_SalesFileAccess.

    • Policy Application: A GPO applies desktop settings to G_SalesUsers in the Sales OU.

    • Cross-Domain Access: U_AllEmployees includes G_SalesUsers and G_FinanceTeam (from hr.acquiredcorp.com) for a shared application.

    • Administration: The Sales team lead manages G_SalesUsers membership, delegated via the Sales\Groups OU.

  • Forest Context:

    • Groups in na.globalcorp.com interact with groups in hr.acquiredcorp.com via transitive trusts.

    • U_AllEmployees is stored in the global catalog, enabling forest-wide access.

    • Domain Admins in na.globalcorp.com manage local groups, while Enterprise Admins in globalcorp.com can manage U_AllEmployees.

PreviousOrganizational Units (OUs)NextDelegation of Control

Last updated