Active DirectoryMicrosoft Technologies

Active Directory Groups

I am sure every on who uses active directory heard about the groups. Even in stand-alone pc you can see set of groups. But it is important to know how these groups are working and what each type of groups really do.

In windows server 2012 have two types of groups in place.

Distributed Group – This is non-security related group and purpose of it to distribute information to a group of resources. These can use by AD aware applications for example, Microsoft Exchange to distribute email.

Security Group – This is security related group for granting access permissions to group of users in to resources. For example this group can use to assign permissions to a network share.

grp1

Group Scope

Apart from the group types we can define the boundaries for the groups. We can use it to current domain or extend to use different domains as well.

There are 3 types of group scope levels.

Domain Local

This group can have any of the following resources assigned.

•    User Accounts
•    Computer Accounts
•    Universal Groups
•    Domain Local groups from the same domain
•    Global Groups from the forest

This limits the group scope in to the same domain.

Global Group

This group can have any of the followings resources,

•    User Accounts
•    Computer Accounts
•    Other global groups from same domain

Using this you can use the group to assign permission to any resources in the forest. It can be either same domain or different domains. But the group membership are only replicated to domain controllers in same domain.

Universal Group

This can have the following resources

•    User accounts
•    Computer accounts
•    Other universal groups
•    Global Groups

This can use with any domain in the forest and also can use between trusted sites. Universal groups are stored in global catalog servers. So any changes to group membership will replicate to all GC servers in the forest.

grp2

Nested Groups

This is one of the nice features we can use for permission delegation. You can make a group in to member of another group. For ex- if you create a group for IT department it can be a member of “All Staff” user group.

If you have any questions about the post feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: How to setup Entra ID Restricted management Administrative Units ?

In my previous blog post, I discussed what Entra ID Administrative Units are and how they can be…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *