AD group introduction
roup is Nothing But logical list , So … it’s a collection of objects
The group can include users, computers, other groups and other AD objects.
Group could have many users or any other object , and user could be Member of many group
Even group itself could be member of other group which called [nested group ]
The main purpose of groups is
Assign right or permission to multi object rather than to do that individually on each object
Distribute email to multi users rather than to do that individually to each user
groups Type
- There are two types of group accounts in any operating system [windows , Linux ,novel]
Local group :
- These accounts can only access resources on the local computer
- are stored in the local Security Account Manager (SAM) file [C:\Windows\System32\Config.]
- Local group are never replicated to other computers
- Do not provide domain access: This means that a local group configured on one computer and cannot be used to access resources on a second server à SO… you would need to configure a second local group in that case.
- In picture above : users Donald is local users and can access ONLY computer HR121
Domain group:
- These group can access AD DS or network-based resources, such as shared folders and printers.
- Information for these group is stored in the AD DS database [c:\windows\NTDS\NTDS.dit] and replicated to all domain controllers within the same domain.
- In picture above : ALL other users [Jack , John, Suzan , Lara , Sami ] as domain users and can access ALL network resources [unless we make restriction policy ]
- Domain groups [active Directory group ] could be divided into two types :
- Active Directory Security Groups. This type of group is for both purposes above [permission and send email ]
- Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). This type of group cannot be used to provide access to domain resources
- AD provide us with mechanism to centrally create , manage , control groups in directory service through console [Active Directory users and computers ] and console [active directory administrative center ]
Pioneers Group Samples
– Please have a look to above sample :
· Pioneers company have 10 users with 4 groups
· Group01 has 2 members : Frank , Jamal [in green Line ]
· Group02 has 3 members : Lara ,Natali ,Mark [in Blue Line ]
· Group03 has 4 members : Sami , Jamal ,Natali , Nadia [in Red Line ]
· Group04 has 2 members : John , Suzan [in Yellow Line ]
· Group1 is Member of Group03 [nested group ] …. So
Frank and Jamal is Considered as member of Group3 [implicitly ]
– Any policy or permission applied to group3 à will be applied also to members of group1
· Khan is NOT member of Any Group …. OK no problem
· Natali is Member of Group02 ,and Group03
· Deleting group04 will NOT delete User Account John : somply John will NOT be member of that group
Create AD Group
To create domain Group
- Open either [Active Directory users and computers ] or [active directory administrative center ]
- Select container [users ] or any organizational unit [OU] that you would like to create group inside
- Right click then select create à group
- Provide group name à select group type à select group level
- press finish to create group
Built-in Group
When install active directory , it automatically create some built-in group with Predefined special permission , Like
- Server Operators
- Account Operators
- Print Operators
- Terminal Server Licenses Servers
- Administrators
- Windows Authorization Access Group
- ….etc.
These groups will be covered when we talk about it’s topic : for example
- Group [Terminal Server Licenses Servers ] will be covered in topic [remote desktop and terminal services ]
- Group backup operators will be covered when talk about backup [Veeam , and Micro focus data protector ]
Delete Group
- Deleting Group t is easy process , but be careful because each Group has security identifier which mean that when delete Group and re-create Group with typical information : this doesn’t mean we have same group since SID has been changed
- Starting from windows 2012 , When delete group : it will be sent to active directory recycle bin à so we retrieve it easily , NOT like previous Active Director edition [2000 ,2003, 2008 ]
- Deleting group will NOT delete user account … but will remove that account from group membership