Active Directory groups
What is an Active Directory group?
Active Directory (AD) groups enable administrators to bring together and manage a set of users, computers, or other groups as a single object. Any change an admin makes to a group will be applied to all the objects within that group, eliminating the need for the admin to deal with individual user or computer accounts. Groups are primarily used for assigning permissions to AD resources and as email distribution lists.
Types of groups in AD
There are two types of AD groups: distribution groups and security groups.
What is a distribution group?
Distribution groups are used for sending email messages to a target set of users via Microsoft Exchange or Outlook. Distribution group membership can be managed based on who will be receiving the messages. Distribution groups cannot be used to assign permissions to resources.
What is a security group?
Security groups are used to grant users, computers, and sub-groups access to resources. The access permissions assigned to a security group vary depending on the roles of its members. Security groups can also be used to filter Group Policy settings to a set of AD objects, allowing the admin to have granular control over the AD environment.
Group scopes
There are 3 scopes for AD groups. A group's scope determines the possible members it can contain, as well as its visibility across the domains in a forest. The 3 group scopes are:
- Domain Local
- Global
- Universal
What is a domain local group?
Domain local groups are visible only within the domain in which they are created. Users, computers, global groups, and universal groups from all trusted domains across forests can be members of a domain local group. They can also contain other domain local groups from within the same domain. Domain local groups are intended to be used for granting permissions to resources in their domain.
What is a global group?
Global groups are visible across multiple domains within a tree. Global groups can contain users, computers, and other global groups only from within the same domain in which they are created. They are intended to organize the users or computers in a domain based on the roles they fulfill. For example, a global group can be created to contain all members of the HR team in an organization.
What is a universal group?
Universal groups are visible throughout the entire forest. Users, computers, global groups, and other universal groups from all domains across the forest can be members of a universal group. They are used in multi-domain environments for assigning permissions to domain-specific resources. A universal group's membership is stored in the Global Catalog Server (GSC) and replicated across the forest.
Group scope conversion
It is possible to change a group's scope if the following conditions are satisfied:
- A domain local group can be converted to universal scope if it does not contain any other domain local groups as members.
- A global group can be converted to universal scope if it is not a member of any other global group.
- A universal group can be converted to domain local scope if it is not a member of any other universal group.
- A universal group can also be converted to global scope if it does not contain any other universal group as a member.
The table below summarizes how the 3 different group scopes work:
Group scope | Group members | Scope conversion | Membership |
---|---|---|---|
Domain local | Users, computers, and global groups from any trusted domain, external domains, or other forests. Universal groups from any domain in the same forest, external domains, or other forests. Domain local groups from the same domain. |
Can be converted to universal scope if it does not contain other domain local groups as members. | Can be added to other domain local groups in the same domain. |
Global | Users, computers, and other global groups from the same domain. | Can be converted to universal scope if it's not a member of other global groups. | Can be added to domain local and universal groups from any domain in the same forest. Can be added to other global groups in the same domain. Can be added to domain local groups from any trusting domain. |
Universal | Users, computers, global groups, and universal groups from any domain in the same forest. | Can be converted to domain local scope if it's not a member of other universal groups. Can be converted to global scope if it does not contain other universal groups as members. |
Can be added to domain local groups and universal groups in the same forest Can be added to domain local groups from trusting forests. |
Auditing groups in AD
Groups play a vital role in managing multiple AD objects at once. Improper tampering with AD groups can result in users instantly losing their permissions to important resources. That's why activities like group creation, modification, and deletion—along with any membership changes—need to be closely monitored to avoid unauthorized actions by unwitting or malicious insiders. Spotting these changes using AD's native auditing capabilities can prove to be a cumbersome task for the IT admins. This process can be greatly simplified with the help of the right tool.
How ADAudit Plus helps in auditing changes to your AD groups
ManageEngine ADAudit Plus is a UBA-driven, real-time change auditing tool that helps you audit, analyze, and secure your AD, Azure AD, file servers, Windows servers, and workstations. Equipped with more than 250 pre-configured reports, ADAudit Plus provides full visibility into the activities happening within your AD and Azure AD environment. With ADAudit Plus, you can:
- Keep tabs on group membership changes with dedicated reports.
- Track the creation, deletion, and modification of security and distribution groups.
- Identify and troubleshoot account lockouts effectively with our account lockout analyzer.
- Analyze Active Directory logon failures using user logon failure auditing tool.
- Detect and respond to insider threats in time with UBA-powered insider threat detection.
- Audit every change across your Azure AD environment with our Azure AD reporting tool.
- Spot unauthorized file changes across Windows, NAS, Synology, Hitachi, and more with our file change monitoring tool.
- Monitor the changes made to group policy settings using our GPO change auditor.
- Gauge the productivity of your workers with our employee productivity tracker.
- Demonstrate compliance easily using Active Directory compliance reporting for GDPR, HIPAA, PCI DSS, and other mandates.
Try all these features and more for 30 days with a free, fully-functional trial. Alternatively, you can also schedule a personalized demo for a guided walkthrough of ADAudit Plus.
Don't wait for your annual compliance audit.
- Audit your AD and Azure
- Monitor user logon
- Troubleshoot AD lockouts
Thanks!
Please check your inbox for demo details.