Lessons‎ > ‎Windows Lessons‎ > ‎

Windows Lesson 06 - Managing Groups

Summary

In this lesson we'll learn how to create and manage security groups in Active Directory.

Security Groups vs Organizational Units

The difference between Security Groups and Organizations Units can be confusing if you're new to Active Directory.  Prior to Active Directory, in Windows NT 4 we didn't have OUs, we had a large unorganized list of users.  We could put users into Groups and use those groups to assign permissions.  For example you could create a group called Accounting then put all the accounting  accounts in it and grant access to the group.  This was nice because if a new person was hired in the accounting department you would put them in the Accounting group and they would be able to access anything they needed.

In Active Directory, Groups were renamed Security Groups, and Organizations Units were introduced.  Organizational Units allowed us to organize our user accounts in a structure that looks like a folder hierarchy. The OU structure is not used for assigning permissions.  It is used for organizing our user accounts in the Active Directory database.  Each user account has path like a file on a disk, that path is made up of OU's.  Mike Smith's path is the following: CN=Mike Smith,OU=Staff,OU=Oak Forest Users,DC=oakforest,DC=org.

Security Groups are used to assign permissions to our resources.  If you create a folder on a server and you only want your accounting department to access it you can use the Accounting security group to do this.  OU membership has no impact on this level of security.  

It is also worth mentioning that a user can be a member of multiple groups, but only one OU.

Group Types

In Windows NT there was one group type and it was used to assign permissions to resources on the network.  When Active Directory was introduced with Windows 2000 there was a new type of group introduced.  Distribution groups were added and can be used by email server software.  The idea is you create a distribution group and each member of the group would get a copy of any email sent to the distribution group.  A distribution can not be used to assign permissions to your network resources.  The groups we knew from Windows NT were renamed to Security Groups.  A security group can be used to assign permissions to resources on the network.


Why Use Security Groups?

We use groups to assign permissions to resources on the network.  It is possible to assign permissions to individual accounts but it isn't considered best practice.  It can increase the amount of administrative work required when people leave, are hired, or change departments.  In the example below we can see when a new user is hired in the accounting department we need to grant access to each resource that user will need.

If we use groups instead, all we need to do is add the user to the Accounting group and they will be able to access all the needed resources.


Creating Security Groups

We manage our groups using "Active Directory Users and Computers".  We can start the New Group wizard many ways.  We select the OU in which we want to create the security group then hit the icon to create a new group


Or we can select the OU in which we want to create the security group and hit Action- New - Group.


Or we right click on the OU and select New - Group.

Adding Users to Groups

There are multiple ways to add users to a security group.  You can select the user and use the add to a group icon.

You can also add a user to a security group by selecting the user and clicking Action - All Tasks - Add to a group.

We can add a user to a security group by right click on the user and selecting Add to a group.

You can also add multiple people to a security group at once by selecting multiple users at once and use one of the methods above to add them to a group.  You can select multiple people at once by holding down Ctrl as you select the accounts.


Group Scopes

The different scope types seen when creating a group differ in who can be a member and where they can be used.  They are outlined below.
  • Domain Local
    • Can contain objects from any domain in your forest.
    • Can be used to assign permissions in it's domain only.
  • Global
    • Can contain objects from its domain only.
    • Can be used to assign permissions in any domain in your forest.
  • Universal
    • Can contain objects from any domain in your forest.
    • Can be used to assign permissions in any domain in your forest.


A - G - DL - P

You can choose different ways to setup your groups.  In many environments you will put users in groups and use them to assign permissions. Microsoft recommends you use the A - G - DL - P method.  With A - G - DL - P you create department based Global groups and put all the user accounts into them.  Then you create Domain Local groups that are named for the resource and permission they represent.  Use the Domain Local groups to assign the Permissions on your resources.  Finally put your Global groups into the Domain Local groups and the users will have the permissions you specify.

The advantage of using A - G - DL - P is you can do all your resource assignments in Active Directory.  If you want to give a department access to a resource you put their Global group in the correct Domain Local group.  Another advantage of A - G - DL - P is you can easily see who has access to what by viewing the properties of the Global group.  The Members tab will show you who is in the group and the Member Of tab will show you what they have access to.  This makes doing a security audit a lot easier.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10