Introduction to Windows Active Directory Groups:
Using Windows Active directory groups makes it more efficient for the operating system to enumerate permissions on an ACL, and makes it also easier for the company operations staff to manage all the ACL permissions on the resource.
The file server must enumerate each user account SID number in the ACL list before a user can access a resource.
When using active directory groups, the name of the group will be added to the resource this will make the system to enumerate the SID of the group along with the user account SID when the session ticket get assembled; When a user login and try to access the resource, the system simply matches the user’s session ticket SID on the resource ACL.
Groups Types:
There are four group types in Windows AD
- Local Group
- Domain Local Group (DLG)
- Global Group
- Universal Group
Local Groups: (Rule Scope)
The local group has only a machine-wide scope. It can be used on the ACL of the local machine or the local storage NAS only.
The group can include the following members:
- Any security principals from the domain/trusted domain including
- Users
- Computers
- Global group
- Domain local group
- Universal groups from any domain in the forest
The group can be a member of:
- Local Group can’t be a member of any other group
Visibility and Usability:
- The local group can only be visible on the server they were created in.
- Local groups can only be added to ACLs on the server they are created at
Best Practices for local groups:
It is recommended to use local groups in a workgroup environment, however managing the local group in a domain environment becomes an administrative overhead, it is not recommended to create any custom local groups in a domain environment.
The capabilities of domain local group and local group are identical, but the replication and availability of the domain local group makes it more flexible across the entire domain.
Domain Local Groups: (DLG)
Domain local groups are used primary to manage permissions to a resources; one of the characteristics of the domain local group is replicating the group object and its members to every domain controller in the domain.
The group can include the following members:
- Any security principals from the domain/trusted domain including
- Accounts from any domain
- Users
- Computers
- Domain Local Group from the same parent domain
- Global group from any domain
- Universal groups from any domain
- Accounts from any domain
The group can be a member of:
- Domain Local groups
- Machine local groups
Visibility and Usability:
- The domain local group can only be visible on all the domain controllers in the domain they were created in.
- Domain local groups can be added to ACLs on any resource of any domain member
Best Practices for domain local groups:
Domain local groups are more focused on business management accounts example is a resource access account, the domain local group can include any member of any type in the domain.
Global Groups: (Role Scope)
Global groups are mostly used as a roll group in Active Directory and are used to define collection of domain objects (users, computer and other global groups).
The group can include the following members:
- Any security principals from the domain including
- Accounts from the same domain as the parent global group
- Users
- Computers
- Global group from the same domain as the parent global group
- Accounts from the same domain as the parent global group
The group can be a member of:
- Domain Local from any domain/trusted domain
- Global group from any domain/trusted domain/forest
- Universal group from forest
Visibility and Usability:
- The domain group can only be visible on all the domain controllers in the domain they were created in.
- Global groups can be added to ACLs in the domain/trusted domain/forest.
As you can see above “Global group” have the most limited membership but it is also the broadest available across the domain.
Best Practices for global groups:
Global rules are generally used to add security to groups by roll, for example an accounting department might have a group called “accounting” that contains all the accounting employees, and this group can be added to any accounting resource.
Universal Groups:
Universal groups can be used as a rule type (Local Group) or a role type (Global Group) depending on the environment and the scenario.
The group can include the following members:
- Accounts from the same domain as the parent global group
- Global group from any domain within the forest in which the universal group resides
- Universal group from any domain within the forest in which the universal group resides
The group can be a member of:
- Domain Local from any domain/trusted domain
- Universal group from forest
Visibility:
- The universal group can be visible on all the domain controllers in the forest.
- Universal groups can be added to ACLs in the domain/trusted domain/forest.
When to use Domain Local, Global and Universal Group
- Domain Local have the smallest extend, this group is used to help managing access to resources, such as printers and shared folders
- Global Groups have a global scope it helps managing users and computers in a particular domain; you can grant access permission to a resource by making the group with global scope a member of the group with domain local scope.
- Universal group have a universal scope with the largest extent, it is used to consolidate groups that span domains, and it is being used by adding global groups as a member, now every time you add members to the global group the changes will not be replicated to all global catalogues as the membership of the universal group did not change.
If the organization does not have two or more domains, then there is no need to use universal groups, instead we can build the groups structure with domain local and global groups.
Best Practices on adding groups to a resource.
- User and/or other security domain groups goes into “Domain Global Group”
- “Domain Global Group” then are added to “Domain Local Group”
- “Domain Local Group” gets granted permissions over the resources.
Note: domain local groups can contain members from other domains (forest and trusted domains) where are global groups can only contain members from the domain that the global group lives in.
Example how we can implement the permissions on a file system:
- One Domain:
- Start by creating global group for example let’s call it Atlanta\OpsGroup and add the members to the operations department group.
- Create domain local groups called “LocalOpsGroup” and grant access to the shared folders. Call the shared folder “OpsData”.
- Add the Global Group “Atlanta OpsGroup” inside the domain local group “LocalOpsGroup”.
- Multiple Domains (Forest)
- Start by creating global group for each Operation Group example let’s call it “Atlanta\OpsGroup”, “Chicago\OpsGroup”, and add the members of Atlanta to “Atlanta\OpsGroup” and members of Chicago to “Chicago\OpsGroup”
- In each location, create a domain local groups and grant access to the local shared folders
- Create a group with universal scope called “UniOpsGroup”, add “Atlanta\OpsGroup” and “Chicago\OpsGroup” to that group
- Add the Universal Group “UniOpsGroup” inside the domain local group in each location.
Although the above scenario is the best practices, but it still depends on the client size what method they should implement for their security, most one domain client grant NTFS permissions to a domain group.
The below example is a wildly used scenario for clients that have one domain.
- One Domain:
- Start by creating global group for example let’s call it Atlanta\OpsGroup and add the members to the operations department group.
- Grant global group “Atlanta\OpsGroup” access to the shared folders. Call the shared folder “OpsData”.