For Geeks @nd the not so Geeky

Active Directory Groups and Domain Services

Active Directory Groups and Domain Services Administration

Active Directory as a directory service provides information on enterprise resources such as  active directory users and groups as well as computers. To make it easier to manage objects these resources are divided into organizational Units (OUs) providing an Active Directory OU structure. Active  Directory groups on the other hand are meant for controlling access to AD objects.

Active Directory Groups and Domain Services

Organizational Units (OUs) – Active Directory

The best way to think of an Active Directory OU design is by comparing it to the folder hierarchy of a common disk drive. Just as you make folders to group similar documents or other data you would collect similar objects in the same OU for the purpose of easy administration. OUs should therefore reflect the administrative structure of you organization. Active Directory Groups

Keep in mind that OUs are not used to assign permission to resources as this is what Active Directory groups are for. Users belong to Active Directory security groups which are in turn given permission to resources.

An OU in Active Directory is simply an administrative container enabling you to manage users and groups contained within that OU.

In Windows Server 2008 OUs are automatically protected from accidental deletion. You will not be able to delete an OU unless you disable this protection in advanced features.

Group Objects, Types and Scopes

Groups are meant to create a single point of management for objects in Active Directory such as users, computers or even other groups.

They are commonly used to grant or deny permissions to a shared folder to a group rather than a single user. In order to effectively manage even a simple organization you need to create security groups in Active Directory for 2 distinctive purposes.

  • Role Defining Groups – based on common business needs such as location and job type
  • Management Rule Defining Groups – based on how the resources need to be managed and accessed

A Security Group can be given permission to resources and can also be configured as an email distribution list

A Distribution Group eliminates the requirement for access to resources and is therefore only used as an email distribution list. This Group does not contain a SID and should be used for email distribution lists to avoid overhead network traffic generating unnecessary access tokens.

A Global Group defines or identifies objects by job roles, location and so forth. Global groups are available t any trusted domains

A Domain Local Group is used to bundle users that need access to similar resources. It is replicated to all domain controllers in the same domain only

A Universal Group contains users and groups from multiple domains and are therefore useful in multi-domain forests.

Group Nesting or IGDLA

Identities (Users and Computers) are members of

Global Groups which represent business roles and are in turn member of

Domain Local Groups representing management roles such as read and write permissions to a folder

Access to Resources is granted by adding the domain local group to the ACL of the folder in question

Shadow Groups

The major difference between an OU and a group is that an object can only exist within the context of a single OU whereas a security principal can belong to many groups.

One of the challenges includes managing an OU where you want to grant all users permission to a folder while this is not possible on the OU level.

This is where shadow Active Directory groups bring relief. You create a group and then just copy all the users of the OU into that group granting them the required permissions. Bear in mind that when you add or remove a user from the OU, you must do the same manually in the shadow group and vice versa.

Default Groups

  • Enterprise Admins – full control over any domain controllers in the forest
  • Schema Admins – full control over the AD schema
  • Administrators (Builtin) – full control over all domain controllers in a domain. Full control in the forest root domain which means they can manage Enterprise, Schema and domain admins
  • Domain Admins – Inherits all capabilities of the administrators group in a domain and is added to each client computer
  • Server Operators (Builtin) – Can logon locally to perform maintenance tasks on domain controllers. Account has no members by default
  • Account Operators – Can perform maintenance tasks on any OU except the Domain Controllers OU . Account has no members by default
  • Backup Operators (Builtin) – Account has no members by default
  • Print Operators – Can log on locally and shut down domain controllers

Special Identities

  • Anonymous Logon – member of the Everyone group in versions prior to Server 2003
  • Authenticated Users – Does not include Guest account
  • Everyone – Authenticated users and guest
  • Interactive – locally logged on users as well as remote desktop users
  • Network – users accessing resources over the network

Relative Distinguished Names (RDNs) Common Names (CNs) and Domain Components (DCs)

Each object in Active Directory has a unique Distinguished Name (DN). The DN of an object is unique within the directory whereas the RDN of an object should be unique within its container or OU.

This is similar to not being able to create 2 documents or folders with the same name in the same folder.
As an example – DN CN=Bob Baker OU=User Accounts, DC=baker,DC=com

Name and Account Properties

  • Logon Name (Pre-Windows 2000) – the samid should be unique within the organization. The sAMAcountName should therefore be a unique, name-independent logon based on an employee number and soforth
  • User Logon Name – the userPrincipalName (UPN) consists of the logon name and the UPN suffix which is by default the DNS name of the domain where the object was created
  • Name – Should be unique in the OU and is the first part of the DN attribute which should be unique in the forest
  • Relative Distinguished Name (RDN) – Should be unique within an OU meaning the CN attribute must be unique in the OU. Easiest way to accomplish this is by including an employee number for example
  • Display Name – No requirement for unique names that appear in the Microsoft Exchange Global Address List (GAL)

DS Command Line Options

  • DSQuery to find objects in the directory
  • DSAdd to create objects
  • DSGet to return specific attributes of an object
  • DSMod to modify attributes of an object
  • DSMove to move an object to a new container or OU
  • DSRm to remove an object and/or all objects in the subtree

Most commands are run by specifying the object type (e.g. user) as well as the object DN in quotes.

Windows PowerShell

Windows PowerShell is the recommended tool for performing and automating administrative tasks in Windows Server R2. System administration tasks can be performed by using command-lets (cmdlets) modules or snap-ins. A module or snap-in is a package of cmdlets and/or other items.

Windows Powershell is also backward compatible with cmd.exe making it easy to perform familiar tasks susch as ipconfig, ping or nslookup for example. Windows Poweshell return objects which can have properties – or attributes – that represent data maintained by the object such as a users first and last name.

Objects include methods which are actions you can perform on the object.

Comma-Separated Values Data Exchange (CSVDE) and LDIFDE

CSVDE is a powerful tool that can assist administrators in importing existing user information – such as user accounts – from MS Excel or MS Access databases. It can import and export AD objects from or to comma-delimited (.csv) text files.

It cannot be used to import passwords so you will need to reset the user password on any account imported as well as enable the account.

The LDAP Data Interchange Format (LDIF) is file format which can be utilized to perform batch operations against directories that conform to LDAP standards. Unlike CSVDE LDIFDE can be used to modify or remove objects in the directory.

LDIFDE is also capable of importing user passwords. Remember that these accounts will be disabled until you reset the passwords and enable the accounts.

Inheritable Permissions

The Discretionary Access Control List (DACL) which is a part of the objects Access Control Entry (ACE) assigned to users and Active Directory groups controls the security principals. This simply means assigning permissions that manage access to objects and properties in Active Directory such as resetting passwords or changing files in a folder.

Note that not every permission is inheritable and inheritance can be scoped to specific object classes. Generally speaking, new objects inherit permissions from the parent OU or container.
This can be manually modified by

  • Disabling inheritance in the advanced settings of the new object
  • Allowing inheritance while overriding it with an explicit permission assigned to the child object. Explicit permissions always override inherited permissions to the extent that an explicit Allow permission will override an inherited Deny permission
  • Scoping the inheritance permission by changing the inheritance properties on the parent object. This is considered best practice as it defines the Access Control List (ACL) at its source rather than overriding permissions further down the line

You can use Delegation of Control Wizard to assign specific administrative tasks to appropriate groups and individuals.

User Account Templates

User account templates are generic user accounts prepopulated with common properties. Take care to disable this account for security purposes. When you create a new user you can just simply copy this template saving you the time of having to fill out each property again. Not all attributes can be copied and following is a list summarizing the attributes that do get copied.

  1. General
  2. Address
  3. Account
  4. Profile
  5. Organization
  6. Member Of

Modifying Properties of Multiple Users Simultaneously

You can select multiple users objects by holding the CTRL key as you click each user. After that you can right-click on any user and select properties from the menu. Properties that can be changed for multiple users are:

  1. General
  2. Account
  3. Address
  4. Profile
  5. Organization

Leave a Response