It’s been a while since I wrote my last post and before I start my next post I would like to wish everyone a happy new year (I know its late)!
Groups in Active Directory are very useful to us administrators. First of all why do we need groups in Active Directory? If you think about it its just to manage your entire active directory environment more easily and to make your life easier.
When you look at how groups are going to make your life easier, imagine this, you have a network resource to which you need to restrict/grant access to everyone in the sales Organizational Unit (OU). If you don’t use groups, then you will add the Users one by one to the resources Discretionary Access Control List (DACL). Lets say another sales person was hired you will have to add him manually to the DACL. Instead you create a Group in your AD and make all the sales users member of that group and assign the permission to that group. That’s more effective and when a new sales person joins just make him a member of that group.
So what are these groups that we are talking about? Groups are also an Object in Active Directory, like User Accounts, Computer Accounts, Organizational Units, etc. groups are also similar objects which at times contains a Security Identifier (SID) and sometimes does not.
You can create groups in 2 ways,
by using the Active Directory users and computers snap-in
by using the DSadd command line tool
To create a group using the Active Directory users and computers, open the snap-in, right click inside an Organizational Unit and select New and then Group
To create a group named “sales” inside the default “users” container under a domain named “cloud.com” using DSadd, dsadd group cn=sales,cn=users,dc=cloud,dc=com
Either way you select, it works like a charm
While creating a group you have to consider two main points,
There are two Group Types
Security Group: You will be creating a Security Group to assign permissions to files and folders. Usually Security groups are the default selection when you are creating a new group. Security Groups will be a Security Principal which is assigned with a Security Identifier (SID). The SID will check the access level when ever a user who is a member of a security group tries to access a network resource (Using the User’s Access Tokens – Will Explain in another posts).
Distribution Group: This type of group cannot be called as a Security Principal as it will not be assigned with a SID hence a distribution group will only be used to send email messages to a group or a collection of users. To be more specific it’s a distribution list where Mail servers such as Exchange uses to send emails to a particular address such as firstname.lastname@example.org in turn email will be delivered to every single email enabled user in that domain (who is a member of the everyone distribution group). Its not possible to list a Distribution Group inside an “ACL” and assign permissions to it.
This does not limit that a Security Group cannot be an email enabled group.
When you look at Group Scopes,
Local Groups: These are the groups which resides in the Security Accounts Manager (SAM) of a local computer. Built in groups such as Administrators, Backup Operators, Power Users, etc.
Domain Local Group: Can be created in a domain environment and these groups can be used on anywhere in the DOMAIN
Universal Groups: Can be created in a domain environment and these groups can be used anywhere in a FOREST
Global Groups: Can be created in a domain environment and these groups can be used anywhere in the DOMAIN or TRUSTED DOMAINS
Well I hope the above information was useful to you. Do leave your comments