Active Directory security groups

What is a security group in Active Directory?

Security groups in Active Directory (AD) provide access permissions to resources within the AD environment. To enable a set of users, computers, or groups to access a particular resource like a shared folder, IT admins can add them to a security group with the relevant permissions, instead of assigning the permissions to each individual object. This way, security groups allow IT admins to manage the permissions of multiple AD objects both simultaneously and efficiently.

AD security group scopes

The security group's scope determines its visibility within the forest, and its potential members. Every security group must belong to one of the following three scopes: domain local, global, or universal. It is important to choose the appropriate scope for a security group when it's created, as the scope will decide how the group can be used while assigning permissions.

AD security group permissions

AD users require access to various resources, such as files, folders, computers, printers, etc. The access level may vary for different users based on their roles. For example, within a domain, a user from a production team may need the permission to modify a file, whereas a user from the HR team may require only read access. The complexity increases when the permissions are assigned to users from different domains. To avoid complication and to make permission management easier, admins should:

• Enforce proper naming convention
• Implement group nesting

Adopting security group nesting and naming convention

Nesting is the practice of making one AD group a member of another. Security groups, when nested correctly, will simplify the process of managing users' permissions to resources both within and across AD domains. It is a best practice to follow the AGDLP and AGUDLP models for security group nesting as shown below:

Assigning permissions to resources within an AD domain

The AGDLP model can be used when there is just one domain within an AD environment. In this model, global groups serve as account groups and domain local groups serve as resource groups. As account groups, global groups are used to organize user and computer accounts based on their roles or organizational hierarchy. For example, an administrator can create a global group with a suitable name, such as "G-HR Team", and add all members from the HR team to this group. In the group name "G" denotes that it's a global group.

As resource groups, domain local groups are used to assign permissions to resources in a domain. For example, if the HR team requires read access to a shared folder, the administrator can add the "G-HR Team" global group to a domain local group with a suitable name such as "DL-Shared Folder Access-R". Here, "DL" denotes that it's a domain local group and "R" denotes that the group is assigned the "read" permission.

Assigning permissions to resources across multiple AD domains

The AGUDLP model can be implemented when there are multiple domains within the forest. In this model, several global groups that contain user and computer accounts from within their respective domains are added to a universal group. The universal group is then added to a domain local group with the required permissions. For example, let's say another HR team from a different domain also needs access to the same shared folder from the previous example. In that case, the administrator can add the two global groups, each containing the HR teams from within their respective domains to a universal group. The universal group can have a suitable name such as "U-HR Team", where, "U" denotes that it has universal scope. This universal group can in turn be added to the "DL-Shared Folder Access-R" domain local group to allow the HR teams from both the domains to access the shared folder.

Universal groups can serve both as account groups or resource groups based on the requirement.

How to create a security group in AD

To create a security group, go to Server Manager > Tools > Active Directory Users and Computers.

1. Navigate to the container or the OU in which you want to create the security group.
2. Select Action, click New, and then click Group.
3. Enter a suitable name for the group in the Group name field.
4. Depending on how you want to use this group, select either Domain local, Global or Universal from the Group scope section.
5. Select Security from the Group type section.
6. Click OK.

How to add a member to a security group

To add a member to a security group,

1. Go to Server Manager > Tools > Active Directory Users and Computers.
2. Right-click on the security group created.
3. In the Properties window, select the Members tab and click Add...
4. Enter the name of the user, computer, or the group that you want to add and click Check Names to validate the name.
5. Click OK.

How to assign permissions to a security group

To grant access permissions to a security group,

1. Right-click on the object or resource to which you want provide access and click Properties.
2. Click the Security tab from the properties window, click Advanced, and then click Add.
3. Click Select a principal, enter the name of the security group, and then click Check Names to validate the name.
4. Click OK.
5. Select the permission type from the Type dropdown.
6. From the list of Basic permissions, check the permissions that you want to assign to the security group. You can also click Show advanced permissions to assign permissions more granularly.
7. Click OK.

Why is it necessary to monitor security groups?

Security groups play a vital role in assigning and managing permissions to important domain resources. This makes security groups the prime target for external attackers and malicious insiders who use them to escalate privileges and sabotage the network. Continuously monitoring your security groups for type, scope, and membership changes can help you spot unauthorized actions and protect your business-critical resources from compromise.