Since the early days of the Microsoft server operating system, administrators have used groups to manage network permissions. Groups enable administrators to assign permissions to multiple users simultaneously. A group can be defined as a collection of user or computer accounts that functions as a security principal, in much the same way that a user does.
In Windows Server 2012 R2, when a user logs on to Active Directory, an access token is created that identifies the user and that user’s group memberships. Domain controllers use this access token to verify a user’s permissions when the user attempts to access a local or network resource. By using groups, administrators can grant multiple users the same permission level for resources on the network. If, for example, you have 25 users in the graphics department who need access to a color printer, you can either assign each user the appropriate permissions for the printer or you can create a group containing the 25 users and assign
the appropriate permissions to the group. By using a group object to access a resource, you have accomplished the following:
-When users need access to the printer, you can just add them to the group. Once added, the users receive all permissions assigned to this group. Similarly, you can remove users from the group when you want to revoke their access to the printer.
-Administrators only have to make one change to modify the level of access to the printer for all the users. Changing the group’s permissions changes the permission level for all group members. Without the group, you would have to modify all 25 user accounts individually.
NOTE: ACCESS TOKENS
Users’ access tokens are only generated when they first log on to the network from their workstation. If you add users to a group, they will need to log off and log back on again for that change to take effect.
Users can be members of more than one group. In addition, groups can contain other Active Directory objects, such as computers, and other groups in a technique called group nesting.
Group nesting describes the process of configuring one or more groups as members of another group. For example, consider a company that has two groups: marketing and graphic design.
Graphic design group members have access to a high-resolution color laser printer. If the marketing group members also need access to the printer, you can just add the marketing group as a member of the graphic design group. This gives the marketing group members the same permission to the color laser printer as the members of the graphic design group.
There are two group classifications in Windows Server 2012 R2: group type and group scope. Group type defines how a group is used within Active Directory.
The two Windows Server 2012 R2 group types are as follows:
– Distribution groups Nonsecurity-related groups created for the distribution of information to one or more persons
– Security groups Security-related groups created for granting resource access permissions to multiple users
Active Directory–aware applications can use distribution groups for nonsecurity-related functions. For example, Microsoft Exchange uses distribution groups to send messages to multiple users. Only applications that are designed to work with Active Directory can make use of distribution groups in this manner.
Groups that you use to assign permissions to resources are referred to as security groups. Administrators make users who need access to the same resource members of a security group. They then grant the security group permission to access the resource. After you create a group, you can convert it from a security group to a distribution group, or vice versa, at any time.
In addition to security and distribution group types, several group scopes are available within Active Directory. The group scope controls which objects the group can contain, limiting the objects to the same domain or permitting objects from remote domains, and also controls the location in the domain or forest where the group can be used. Group scopes available in an Active Directory domain include domain local groups, global groups, and universal groups.
DOMAIN LOCAL GROUPS
Domain local groups can have any of the following as members:
– User accounts
– Computer accounts
– Global groups from any domain in the forest
– Universal groups
– Domain local groups from the same domain
You use domain local groups to assign permissions to resources in the same domain as the domain local group. Domain local groups can make permission assignment and maintenance easier to manage.
Global groups can have any of the following as members:
– User accounts
– Computer accounts
– Other global groups from the same domain
You can use global groups to grant or deny permissions to any resource located in any domain in the forest. You accomplish this by adding the global group as a member of a domain local group that has the desired permissions. Global group memberships are replicated only to domain controllers within the same domain. Users with common resource needs should be members of a global group to facilitate the assignment of permissions to resources.
You can change the membership of the global group as frequently as necessary to provide users with the necessary resource permissions.
Universal groups can have any of the following as members:
– User accounts
– Computer accounts
– Global groups from any domain in the forest
– Other universal groups
Universal groups, like global groups, can organize users according to their resource access needs. You can use them to provide access to resources located in any domain in the forest by using domain local groups.
You can also use universal groups to consolidate groups and accounts that either span multiple domains or span the entire forest. A key point in the application and utilization of universal groups is that group memberships in universal groups should not change frequently, because universal groups are stored in the global catalog. Changes to universal group membership lists are replicated to all global catalog servers throughout the forest. If these changes occur frequently, the replication process can consume a significant amount of bandwidth, especially on relatively slow and expensive WAN links.
As discussed earlier, group nesting is the term used when groups are added as members of other groups. For example, when you make a global group a member of a universal group, it is said to be nested within the universal group.
Group nesting reduces the number of times you need to assign permissions to users in different domains in a multidomain forest. For example, if you have multiple child domains in your AD DS hierarchy, and the users in each domain need access to an enterprise database application located in the parent domain, the simplest way to set up access to this application is as follows.
1. Create global groups in each domain that contain all users needing access to the enterprise database.
2. Create a universal group in the parent domain. Include each location’s global group as a member.
3. Add the universal group to the required domain local group to assign the necessary permission to access and use the enterprise database.
This traditional approach to group nesting in AD DS is often referred to by using the mnemonic AGUDLP: you add Accounts to Global groups, add those global groups to Universal groups, add universal groups to Domain Local groups, and, finally, assign Permissions to the domain local groups.
Administrators can use the same method to create their own domain local groups, to which they will delegate administrative tasks and user rights for particular OUs. Then, after creating global groups (or universal groups for forest-wide assignments) and adding them to the domain local groups, the structure is in place.
The procedure for creating groups in Active Directory Administrative Center or Active Directory Users And Computers is nearly identical to that for creating OUs. When you create a group, you must specify a name for the group object. The name you select can be up to 64 characters long and must be unique in the domain. You must also choose a group type and a group scope. Figure 5-22 shows the Create Group window in Active Directory Administrative Center.
FIGURE 5-22 Creating a group in Active Directory Administrative Center
The New Object – Group dialog box in Active Directory Users And Computers looks slightly different, but contains the same basic controls.
Although the graphical AD DS utilities are a convenient tool for creating and managing groups individually, they are not the most efficient method for creating large numbers of security principals. The command-line tools included with Windows Server 2012 R2 enable you to create and manage groups in large numbers by using batch files or other types of scripts. Some of these tools are discussed in the following sections.
CREATING GROUPS FROM THE COMMAND LINE
You can use the Dsadd.exe tool to create new user objects, and you can also use the program to create group objects. The basic syntax for creating group objects with Dsadd.exe is as follows:
dsadd group <GroupDN> [parameters]
The <GroupDN> parameter is a DN for the new group object you want to create. The DNs use the same format as those in CSV files.
By default, Dsadd.exe creates global security groups, but you can use command-line parameters to create groups with other types and scopes and to specify members and memberships for the groups and other group object properties. The most commonly used command-line parameters are as follows:
■■ -secgrp yes|no Specifies whether the program should create a security group (yes) or a distribution group (no). The default value is yes.
■■ -scope l|g|u Specifies whether the program should create a domain local (l), global (g), or universal (u) group. The default value is g.
■■ -samid <SAMName> Specifies the SAM name for the group object.
■■ -desc <description> Specifies a description for the group object.
■■ -memberof <GroupDN> Specifies the DNs of one or more groups of which the new group should be made a member.
■■ -member <GroupDN> Specifies the DNs of one or more objects that should be made members of the new group.
For example, to create a new group called Sales in the Users container and make the Administrator user a member, you would use the following command:
dsadd group “CN=Sales,CN=Users,DC=adatum,DC=com”
To create a new group object by using Windows PowerShell, you use the New-ADGroup cmdlet, with the following syntax:
–Name <group name>
-SamAccountName <SAM name>
–Path <distinguished name>
For example, to create a global security group called Sales in the Chicago OU, you would use the following command:
New-ADGroup –Name Sales –SamAccountName Sales
–GroupCategory Security –GroupScope Global
Managing group memberships
Unlike the Active Directory Administrative Center, which enables you to specify a group’s members as you create the group, in Active Directory Users And Computers you must create the group object first, and then add members to it.
To add members to a group, select it in the console and, from the Action menu, select Properties to open the group’s Properties sheet and then select the Members tab.
On the Members tab, you can add objects to the group’s membership list, and on the Member Of tab, you can add the group to the membership list of another group. For both these tasks, you use the standard Select Users, Contacts, Computers, Service Accounts, Or Groups dialog box to choose objects.
Once you enter or find the objects you want to add, click OK to close the Properties sheet and add the objects to the group’s membership list.
MANAGE GROUP MEMBERSHIP BY USING GROUP POLICY
It is also possible to control group memberships by using Group Policy. When you create Restricted Groups policies, you can specify the membership for a group and enforce it, so that changes made to the membership will be reversed during the next policy refresh.
To create Restricted Groups policies, use the following procedure.
1. From Server Manager, open the Group Policy Management Console, create a new GPO and link it to your domain.
2. Open the GPO in the Group Policy Management Editor and browse to the Computer ConfigurationPoliciesWindows SettingsSecurity SettingsRestricted Groups folder, as shown in Figure 5-23.
FIGURE 5-23 The Restricted Groups folder in the Group Policy object
3. Right-click the Restricted Groups folder and, from the shortcut menu, select Add Group to open the Add Group dialog box.
4. Type or browse to add a group object and click OK. The group appears in the Restricted Groups folder and a Properties sheet for the policy appears, as shown in Figure 5-24.
FIGURE 5-24 The Properties sheet for a Restricted Groups policy
5. Click one or both of the Add buttons to add objects that should be members of the group or other groups of which the group should be a member.
6. Click OK.
7. Close the Group Policy Management Editor and Group Policy Management consoles. The members you specify for a group in a Restricted Groups policy are the only members permitted to remain in that group. The policy does not prevent administrators from modifying the group membership by using other tools, but the next time the system refreshes its group policy settings, the group membership list will be overwritten by the policy.
MANAGING GROUP OBJECTS BY USING DSMOD.EXE
Dsmod.exe enables you to modify the properties of existing group objects from the Windows Server 2012 R2 command prompt. By using this program, you can perform tasks such as adding members to a group, removing them from a group, and changing a group’s type and scope. The basic syntax for Dsmod.exe is as follows:
dsmod group <GroupDN> [parameters]
The most commonly used command-line parameters for Dsmod.exe are as follows:
■■ -secgrp yes|no Sets the group type to security group (yes) or distribution group (no).
■■ -scope l|g|u Sets the group scope to domain local (l), global (g), or universal (u).
■■ -addmbr <members> Adds members to the group. Replace members with the DNs of one or more objects.
■■ -rmmbr <members> Removes members from the group. Replace members with the DNs of one or more objects.
■■ -chmbr <members> Replaces the complete list of group members. Replace members with the DNs of one or more objects.
For example, to add the Administrator user to the Guests group, you would use the following command:
dsmod group “CN=Guests,CN=Builtin,DC=adatum,DC=com”
As group functions change, you might need to change a group object’s type. To change the type of a group, open the group’s Properties sheet in the Active Directory Administrative Center or the Active Directory Users And Computers console. On the General tab, you can modify the Group Type option and click OK.
The process for changing the group’s scope is the same, except that you select one of the Group Scope options on the General tab. The AD DS utilities only enable you to perform permissible scope changes. Table 5-1 lists the scope changes that are permitted.
TABLE 5-1 Active Directory Group Scope conversion restrictions
Deleting a group
As with user objects, each group object that you create in AD DS has a unique, nonreusable SID. Windows Server 2012 R2 uses the SID to identify the group and the permissions assigned to it.
When you delete a group, Windows Server 2012 R2 does not use the same SID for that group again, even if you create a new group with the same name as the one you deleted. Therefore, you cannot restore the access permissions you assigned to resources by re-creating a deleted group object. You must add the newly re-created group as a security principal in the resource’s access control list (ACL) again.
When you delete a group, you delete only the group object and the permissions and rights specifying that group as the security principal. Deleting a group does not delete the objects that are members of the group.
This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :
70-410 Installing and Configuring Windows Server 2012 Prep course includes following practice tests: