What are Active Directory groups?
Active Directory is a Microsoft technology that is used to implement directory services. It is a feature of the Windows Server and one of the most popular on-premise directory services, which provides functionalities to store and handle directory information. A collection of Active Directory objects is called an Active Directory Group. They may include users, devices, and also groups containing other objects. In other words, groups can be thought of as containers that hold users and other objects as members. In Active Directory, the users are classified into groups based on certain criteria and given access to certain resources. Network maintenance and administration are made easier by allowing the group to be managed as a single object.
Types of groups in Active Directory
The Active Directory groups can be classified into two types. They are the Active Directory security groups and the Active Directory distribution groups. Each group type, in turn, has one of three different group scopes. The group type determines the type of task to be performed, while the group scope determines who can be a member of the group.
What are Security groups in Active Directory?
Active Directory security groups enable the administrators to grant permissions and user rights to members of the group. Rather than assigning permission to individual members, security groups allow all the members of the group to receive the permissions and rights. This is more efficient and simplifies the administrative requirements. Members can be added or removed from the groups as per the requirements. Security groups can be mail enabled so as to allow Exchange to distribute emails to the group members. These are called “Distribution lists”, and hence share the capabilities of distribution groups. Mail enabled groups require their group scopes to be set to “universal”.
Security groups can be used to provide specific group access for certain files and to assign administrative responsibilities to perform tasks. Sensitive information can be protected by restricting access rights using security groups. Various levels of permissions can be granted to different user groups. This allows most employees to be given least privilege, while allowing a select group of employees to be given permission to access and modify certain information. This helps greatly in reducing security threats from both within and outside the organization.
For example, a security group can be created for the board of directors of an organization, using which sensitive financial information will be restricted to only the board members. No other employee will have access to these resources and hence confidential information is secure against threats.
Functions of security groups
Security groups have two major functions. They are:
Assigning user rights: User rights define what the members of the group can do within the domain or forest. Some security groups are automatically assigned user rights for administration purposes. Group policies can also be used to assign user rights for delegating certain tasks.
Assigning permissions for resources: User permissions are different from user rights. Permissions are mainly concerned with resource sharing, as opposed to user rights. They are used to determine who can access the resources, along with the level of access. Permissions for resources should be assigned to the security groups rather than to the individual users. Default security groups like the Account Operators group and the Domain Admins group are automatically assigned certain permissions.
What are Distribution groups in Active Directory?
Active Directory Distribution groups are used with email applications such as Microsoft Exchange server, and are used to send email messages to all the users of the group. All members of the group who have enabled mailbox on their accounts, will receive these messages. Distribution groups are not security enabled and hence cannot be used to provide access to domain resources. Security groups also possess all the capabilities of distribution groups, but some applications can only read distribution groups. This is the reason why distribution groups are still required, despite having their functions shared by security groups.
Have you ever wondered how certain emails containing important announcements are sent to all the employees in an organization? Does the administrator send the email individually to each employee? Using distribution groups, the members of the group are sent emails all at once. This greatly simplifies the task of sending emails to large numbers of users. For example, . This is done by adding them to a specific distribution group. Similarly, different types of distribution groups may be created for various purposes.
Differences between Security and Distribution groups in Active Directory
- Distribution groups are used if only one-way notifications are required from the central controller. Whereas, security groups are used to allow users to both access and modify data.
- Distribution groups do not have SIDs, as opposed to security groups. They are used only with email applications and cannot be used to provide access to resources. However, security groups can be used for both purposes.
- Distribution groups differ from Security groups by one bit in the groupType attribute. Security groups have the SECURITY_ENABLED in this attribute, as opposed to distribution groups.
Active Directory Group Scopes
The scope of a group is used to define the extent to which the group is applied in a domain tree or forest. It is also used to identify which of the users can be included as members of the group. Active Directory defines the following group scopes.
Local groups are defined and available only on the specific computer in which they were created. They are stored in the local Security Accounts Manager (SAM) database of a domain member computer.
Domain local groups
Permissions for resource access are provided using domain local groups. These resources are located in the same domain in which the domain local group was created. The memberships are not limited; members from any domain can be added to this group. Domain local groups can exist in all mixed, native and interim functional levels of domains and forests. However, domain local groups do not support nesting. These groups are mainly used for assigning permissions and user rights.
Users who share similar functions and network access requirements can be organized using global groups. They are used to grant permissions to access resources that are located in any domain in the same forest. So, members can be added only from the domain in which the global group was created. Global groups can exist in all mixed, native and interim functional levels of domains and forests. Group nesting is supported. A global group can also be added to other local and global groups.
Universal groups reside in the Global Catalogue and are not stored in the domain partition level. Hence, forest-wide replication is triggered while adding or removing objects from the group. These groups are typically used for email distribution. They can grant permissions on any domain in the same forest or trusting forests.
What are Nested Groups?
Groups that have other groups as members are known as nested groups. When a group is nested within another group, the user rights are inherited automatically. Nested groups help reduce management overhead. While Active Directory distribution groups support nesting in both native and mixed mode, the Active Directory security groups support nesting only for domains running in the native mode.
Consider a scenario, where an organization has three different groups based on business roles namely Production, Sales and Accounting. Each of these roles belongs to a separate global group, where each group has a specified number of users. All the members of these domains need to access a file which is located in the Sales domain. Without group nesting, each global group has to be given a separate permission, hence the permission for access should be provided three times. However, if a domain local group is created and all three global groups are added to it, only the domain local group requires permission. This is done by adding the domain local group to the file’s Access Control List (ACL) and providing the required permissions for access.
When to use domain local, global and universal groups
- Domain local groups can be used to manage access to resources within a single domain. For instance, when ten users need to be given access to a particular device such as a printer, they can be added to a group with a global scope. A domain local group can be created and given access to the device. The global group is then added to this group, and all the members can now access the device.
- Global groups can be used to organize users who share similar purposes and access requirements. They can be used to manage the objects that require maintenance on an everyday basis like user and computer accounts. For example, global groups can be created for separate business roles in an organization such as Sales, Accounting, etc.
- Universal groups can be used to manage permissions for resources that are used across multiple domains. These groups should be used to manage groups with the least changes as the changes will cause Global Catalogue replication. The members can be added to global groups and these can be nested within universal groups. This makes sure that the groups with universal scope are not affected by any changes in membership within the global groups.
Creating Security and Distribution groups in AD
Security groups and distribution groups can be created in Active Directory using the following steps.
- Open the Active Directory Users and Computers console and select the container in which you want your new group to be created.
- Select New Group.
- Enter the name of the group in the Group Name field and enter a description.
- Select the group scope from the available options (Domain local, global or universal).
- Select the group type as either Security or Distribution based on your requirements.
- Select Next and OK to create your group.
- After creating the group, the administrators can define additional properties such as adding members and email addresses to the group.
Changing the scope and type of a group in AD
When a new group is created, it is configured as a security group with global scope, by default. However, the scope of a group can be changed by modifying the group scope in the steps mentioned for creating a group. This can be done based on the following criteria.
- From Domain local to Universal: This conversion is allowed only if the group does not have any other domain local nested groups.
- From Global to Universal: This conversion is allowed only if the group is not a member of another group with a global scope.
- From Universal to Domain local: This conversion is permitted without any restrictions
- From Universal to Global: This conversion is allowed only if the group does not have any other universal group as a member.
Security Group Challenges and Best Practices
Following certain standard guidelines help overcome the challenges faced while using security groups.
- Protecting default security groups
When an Active Directory domain is set up, default security groups are created. These groups have to be managed properly as they have extensive permissions. Users should be given permissions only when required, and domain admin access is to be provided on a temporary basis. The Domain Administrator account should be secured. The Local Administrator should be disabled as it is configured with the same password across domains and has the same SID across installations.
- Using strong passwords
Strong passwords should be set up, using passphrases of random words. Users should be locked out, if the password is not verified for more than two times. Two- factor authentication is to be used for an added layer of protection.
- Updating Active Directory
All the software on the system must be kept up to date in order to stay protected against vulnerabilities. Patching these vulnerabilities reduces the risk posed by attackers.
- Maintaining Least Privilege policy
The policy of least privilege means that users are given access only to those resources that are absolutely necessary. This is to prevent against potential insider threats. If everyone is given increased permissions and access, it increases the risk of insider threats and makes it harder to source them.
- Auditing changes
Security threats can be prevented and minimized through proper monitoring and auditing. Any abnormal changes should produce an alert, including failed login attempts and locked out accounts. User access and permissions should be continuously monitored, so as to prevent potential threats to security.