Active Directory literally holds the keys to your kingdom. If the right security principles aren’t set up and you are giving excessive permissions to your users, you are leaving yourself exposed to potential security threats.
Within Active Directory, there are numerous security protocols to choose from to implement a policy of least privilege where you are only granting administrative access to those that genuinely need it.
In this blog, we will go through exactly what security groups in Active Directory are, the difference between distribution groups and security groups, what security groups can be used for and exactly how to create one.
What Are Active Directory Groups?
Active Directory, in general, is a program that sorts users into various groups. It is a centralized platform that most enterprises use to manage their computer accounts and to grant access to sensitive data.
An Active Directory group is a group of users that have been given access to certain resources. There are two ways that groups can be given this kind of access; through a Globally Unique Identifier (GUID) or a Security Identifier (SID).
SIDs are mostly used when access wants to be given to specific users, whereas GUIDs are used when grouping together users who all need access to the same resources.
Groups can be created based on individual users that all need access to certain resources, or they can be created based on global groups (such as department), or members of a certain domain.
Types of Active Directory Groups
Active Directory groups are split into two categorizations – Active Directory Security Groups and Active Directory Distribution Groups.
The actual type of group you need will depend on the required function of the group. Distribution groups are simpler in that they would be used if only one-way notifications are required from the central controller. Security groups are more complex, and they are applied when you want to enable users to access and modify data.
Security teams need to pay far more attention to security groups to ensure that permissions do not sprawl out of control and that the risks to the security of your data are mitigated.
Why Should You Use Active Directory Security Groups?
Security groups are vital when it comes to maintaining appropriate access rights to your most sensitive data. The ability to group users into pots to assign levels of permissions is incredibly useful for maintaining a policy of least privilege.
For example, you can use Active Directory security groups to assign high level permissions to members of the board so that they can submit financial information and KPIs for their colleagues. You can also use security groups to assign lower level permissions to new joiners.
Active Directory security groups can also be modified via the AD portal, where users can be moved around or removed completely.
How to Create a Security Group in Active Directory
The following steps apply to Windows 10 and to Windows Server 2016. Please note that you are going to need to be a member of the Domain Administrators group, or have the correct permissions already applied, to be able to create new groups yourself.
How to Improve the Security of Your Active Directory Security Groups
Many enterprises must deal with joiners, leavers, and movers within their environment. As users change roles, leave the business, or start a new role, their required permissions will be different.
Unfortunately, many enterprises are not communicating effectively enough with the IT and security teams to ensure that permissions and members of security groups are maintained appropriately. In the worst-case scenario, this could potentially lead to insider threats getting their hands on your most sensitive data.
The Lepide Active Directory Auditor (part of Lepide Data Security Platform) will give you the ability to instantly generate a list of users who have been deemed to hold “excessive permissions”, or generate alerts in real time when permissions are changed, so that you can take the required steps to maintain your policy of least privilege.
To see the solution in action, schedule a demo with one of our engineers today or download free trial.
Active Directory groups are methods for collecting users, contacts, computers, and even other groups’ objects within Active Directory so that you can manage the objects in the group as a single unit.
Objects in Active Directory Groups
Objects that belong to a particular group are referred to as group members. Using groups can simplify the permission administration by assigning a set of permissions to a security group once, rather than assigning permissions and rights to each group member individually.
Active Directory has several built-in groups that you can use to assign users or computers too, so they have the permissions they need to get their jobs done. You can also create your own groups and assign those groups various levels of access and permissions. Active Directory enables administrators to manage all objects and services from one centralized location rather than having to go from computer to computer to get things done. Many other programs can tie into Active Directory to manage user accounts and other objects as well.
Table Of Contents
Uses of Active Directory Groups
To simplify administration by assigning share (resource) permission to groups rather than individual users in the active directory. When you assign permission to a group, all its members have the same access to the resource
To delegate the control by assigning user rights to a group using Group Policies. In the future, you can add new members to the group who need the permission granted by this group.
Create Distribution List
One of the major use of groups with in active directory service is to create email distribution lists.
Types of Active Directory Groups
As we discussed above, Active Directory groups are a collection of Active Directory objects. The group can include users, computers, other groups, and other AD objects. The administrator manages the group as a single object.
In Windows, there are seven types of active directory groups that involves two domain group types with three scopes in each and a local security group as follows:
Domain Groups Types
Group Scopes in Active Directory
Local Security Group
We were demonstrating how to manage the creation and automation of Active Directory security groups and distribution lists before we realized that we had no idea what the differences were between the types groups: security and distribution groups, and the group scopes: universal groups (UG), global groups (GG), and domain local groups (DLG).
With a little work, we dug out enough info for this cheat sheet on Active Directory groups:
The two Domain Groups consist of Security groups and Distribution groups and within these two groups we have three group scopes which will be discussed next. When creating a new Active Directory group, you will need to choose between a Security and Distribution group as also choose the group scope. You use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources.
Used with care, security groups provide an efficient way to assign access to resources on your network. Security groups have two main functions:
Assign User Rights
IT administrators can assign user rights to a security group that determines what group members can do. For instance, if a user is added to the Backup Operations security group, he/she will have the ability to restore the files and directories located on every domain controller (DC) in the domain. This is because, by default, the user rights pertaining to ‘Backup files and directories’ and ‘Restore files and directories’ are assigned to the Backup Operations group, and all group members inherit these rights.
Grant Permissions to Resources
By granting permissions to security groups on shared resources, IT administrators allow group members to access the company’s resources, like shared printers, secured folders, and financial records. For example, the Human Resources security group will have access to employees’ data, which is confidential and cannot be shared with other departments.
Security groups can also be used as a distribution group in Exchange. These are known as security-enabled distribution groups or mail-enabled security groups.
Read More: Active Directory Security Groups Uses & Best Practices
Distribution groups are designed to combine users together so that you can send e-mails (via Microsoft Exchange Server) collectively to a group rather than individually to each user in the group. Distribution groups are designed to be used for e-mail specifically and cannot be granted Windows permissions. The terms “distribution groups” and “distribution lists” tend to be used interchangeably, particularly if you work with Microsoft Exchange Server administrators. Don’t let this trip you up!
Read more: Distribution Group or Mail-enabled Security Group?
Group Scopes in Active Directory
When setting up a security or distribution group you will also need to choose a scope for that group so Active Directory knows how to assign the permissions to the resources that group is allowed to access. Groups, whether security groups or distribution groups, are defined by a definition that identifies the scope to which the group is applied in a domain or forest.
There are three group scopes in active directory: universal, global, and domain local.
Universal Groups vs Domain Local Groups vs Global Groups
Following differences between Group Scopes are generally defined, but they may be subjective to each use case.
Domain Local GroupsGlobal GroupsUniversal GroupsMembershipsCan contain users from any domainCan contain users from the same domainCan contain users from any domain within the forest where this Universal Group residesCan contain Global groups from any domainCan contain Global groups from the same domainCan contain Global groups from any domain within the forest where this Universal group residesCan contain Universal groups from any domainCan contain Universal groups from any domain within the forest where this Universal group residesCan contain Domain Local groups but only from the same domainPermissionsPermissions can only be assigned to members inside the domainPermissions can be assigned in any domainPermissions can be assigned in any domain or forestForest-Wide ReplicationDomain Local groups do not trigger forest-wide replication on any change in group membershipsGlobal groups don’t trigger forest-wide replication on any change in group membershipsUser accounts should not be added directly into a Universal group, as it triggers forest-wide replication on each addition and removalScopeCan be perceived as resource groups to provide access to the domainCan be perceived as account groups primarily used to group users in the same domainCan be perceived as both resource and account groupsMemberOfCannot be made a member of Global groupsCan be made members of Domain Local groups to share the respective access to resourcesCan be a member of any group type in the forest.Converted IntoCan be converted to a Universal group (if no other Domain Local group exists as a member)Can be converted to a Universal group (if the group is not a member of any other Global group)Can be converted to a Domain Local group or a Global group (if no other Universal groups exist as members)
Uses of Universal Groups
Group Consolidation Spanning Across Domains
Universal Scope groups are used for consolidating groups across domains. The best practices recommended to consolidate groups are as follows:
Using the above two steps prevents any change in groups with universal scope even with the change in users’ memberships within groups with global scope. Moreover, adding or removing a user in a group triggers replication at different levels depending upon the type of group. For example:
Use Case for Universal Groups
Consider there are two domains are in a network Asia & United States. A universal group named UMarketing which in turn has two global groups, Asia\GLMarketing and US/GLMarketing as its members belong to each domain. Replication will not trigger in Universal Group UMarketing due to any change in memberships of individual Global Scope Groups Asia\GLMarketing and US/GLMarketing.
However, linked-value replication (associated with a change in Domain linked attribute) leads towards replicating the change in attributes of universal groups (modified membership) only into global catalogue server, provided that the windows server 2003 or higher is a forest’s functional level.
Uses of Global Groups
Use Case for Global Groups
Consider a network with two domains Asia and United States. In Asia, we have a group with global scope USA/GGMarketing. Considering GGMarketing groups have certain rights and permission associated with them in the USA domain and we want to provide user members in those groups with the same rights and permission in Europe as well. To achieve that, we will create GGMarketing in the Europe domain as well. Thus, applying such a group in the European domain is an example of logical groups management.
When to Avoid using Global Groups?
The use of global groups for assigning access to resources that are domain-specific is not recommended since global groups are visible across the forest. For this use case, domain local groups are recommended to use.
Uses of Domain Local Groups
Uses of domain local groups involve:
Domain local groups would also include other groups to enable other members to get permissions that the group has assigned.
Use Cases for Domain Local Group
Managing Resource Permissions
Domain local scope groups enable IT in defining and managing access to resources in a single domain. All user accounts can be added to a list of resource permissions. Let’s consider different use cases.
Such access management of resources can be managed with adequate planning by creating active directory groups with a domain local scope and giving it permission to access a resource such as a printer. So, adding five user objects in an active directory group with a global scope, and then adding that group to domain local scope groups, with assigned permissions of domain local scope for accessing new printer, would enable users to access it. Hence, access to a new resource (printer) is automatically assigned to members of an active directory group.
Changing Group Scope in Active Directory Groups
You can change the scope or type of directory groups, but there are several conditions as follows:
Conditions to Change Group Scope in Active Directory
Convert Global Security Group to Universal Group
You can convert a global security group to a universal if the group is not part of another global group.
Convert Domain Local Group to Universal Group
You can convert a local domain group to a universal group if another local domain group is not added to list of its members.
Convert Universal Group to Domain Local Group
A universal group can be converted to a local domain group without any restrictions.
Convert Universal Group to Global Group
A universal group can be transformed into a global if it doesn’t contain another universal group as a member.
Active Directory groups are integral for managing user access to resources and distributing information. More importantly, effectively managing Azure AD and Active Directory groups is the most proactive security measure IT can put in place. Yet, Azure AD and Active Directory groups are rarely given a second look after they’re created, despite their impact on security, information distribution, and permissions management.
Active Directory Groups Management Best Practices
Imanami has been championing Active Directory groups management for thousands of customers for over 20 years and here are the seven best practices for Active Directory group management based on that experience:
As you consider implementing these best practices, it’s important to view them as a method both to clean up what you currently have and to manage your existing and newly created groups as you move forward.
#1: Always Know What You Have
To get control of your Active Directory groups, reorganize them, and establish a process for continual management, you must be aware of what you have in your directory. For that purpose, you can begin with inventorying the Active Directory groups along with focusing on the most neglected ones within your directory, which are likely to include the following:
Do it the easy way: GroupID by Imanami is equipped with features that enable you to stay informed on the current state of your groups. These features include:
Once you have visibility into the current state of your Active Directory and Azure AD groups, you can follow the remaining best practices to further organize, configure, use, and manage your groups.
#2: Use Standards
After uncovering the Active Directory groups, you’ll probably discover a few groups with mysterious or cryptic names, such as HQ-RTAudBkPr. Any idea what they are or what the name implies?
You wouldn’t be alone. Most IT professionals will have several of these — with barely any clue as to why they exist. Naming certainly is important, but it’s not the only thing that needs to be standardized as part of proper group management. Here are a few more standards you should consider when creating and organizing groups:
GroupID is built to easily implement standards in group names, scope, type, and descriptions.
#3: Establish Group Ownership
IT should be the delegator, not the owner of groups. From a best practice perspective, ownership is much more than merely populating the “Managed By” field with the Domain Admins group. It’s about looking beyond group creation and the process of initially adding members and assigning permissions. So, to create an Active Directory group, IT should designate one or more individuals within the organization as its owners, responsible for its membership, assigned permissions, and even its existence.
Read More: Active Directory Groups Multiple Owners Use Cases
This would not only reduce the workload on IT but also put ownership in the hands of:
In short, roles that are better positioned to decide whether the group has the right members and whether the assigned permissions are appropriate for the intended tasks. The goal is to empower end-users within the organization who are closest to the actual purpose the group serves.
#4: Implement Change Accountability
As a routine practice, users submit helpdesk tickets for getting added to various Active Directory groups, it’s often the case that these requests just ‘happen’, leaving you with little or no accountability. To help re-establish some accountability, you should change the process of how groups are modified so that changes would require the approval of the group owner or a person of authority before they are committed to the directory.
Tracking should include changes to:
You can employ several means to account for changes to groups.
Track all changes made to groups, from creation to deletion. GroupID Automate and Self-Service can log and maintain the history for each group, that you can view in group properties. Users who make changes to a group are also encouraged to add comments against changes, that could include a reason to justify the change.
Do you have processes in place to verify any changes made to objects within Active Directory and Azure AD? If not, then think about it now. Implement workflows to seek approval for the create, edit, and delete events for group objects in the directory.
Set a Group Security Type:
Using GroupID Automate and Self-Service, you can assign a security type to groups, based on their level of criticality. Security types are:
#5: Periodically Certify
Even if you have implemented accountability into your group changes, you should periodically perform an audit. For Active Directory groups, this audit should take the form of group attestation, where group owners must verify the group’s attributes, members, and permissions.
In addition to certifying that a group’s members and permissions are correct, you also need to periodically have the group’s owner attest to the need for the group’s existence.
For example, you might have a group that exists to provide access to a CRM application, but once you move to a cloud-based CRM system, you no longer need that group. Without making changes to your current model, that group is likely to remain in your directory for years to come. However, by establishing attestation, the application owner (who participated in the creation of the group and was responsible for it) can make the appropriate decision and inform IT that the group is no longer necessary.
#6: Automate Group Processes
IT teams and helpdesk bear the burden of manually managing active directory groups-related tasks, such as:
As such, it is not surprising that human error remains the driving force behind a sizeable chunk of cybersecurity problems.
As much caution as you may exercise, human error is inevitable in manual processes. A pragmatic approach to tackle the problem lies in automation, and directory group management is no exception. Fully or partially automating group-related processes, such as group creation, memberships, group expiry, and deletion, is certainly the right course.
#7: Delete Unnecessary Active Directory Groups
This is probably the least observed practice with groups. Why? If you’ve never performed any of the best practices noted above, you’ve never been in a situation where you were 100% sure that a group could be deleted. Had you implemented group attestation, you could have spoken with authority on the existence of every group. It’s simple – if a group has failed attestation by its owner, it’s time to eliminate that group. Manually deleting such a group is okay but it’s not the ideal approach to directory hygiene.
Automating the process of deleting expired groups is an easy way to achieve this goal. It is reasonable to assume that after a grace period, groups that were not validated through the attestation process and thereby became expired, should be deleted.
Using expiring groups is a much safer and more secure way of identifying and deleting groups that cannot be attested to. (If needed, an expired group can be renewed quickly.) GroupID puts this approach into practice through its Group Life Cycle policy.
Putting Best Practices into Practice
7 Best Practices for Managing Active Directory & Azure AD Groups.
As you implement these best practices, it will become evident that group life cycle management requires some form of automation. PowerShell can help temporarily, but it can become too complicated.
Built-in Active Directory Security Groups
Default or Built-In Active Directory security groups are automatically created on the servers running Windows OS. The following are the well-known default security groups:
There are some additional groups that are formed in Built-In and Users containers of a domain, such as:
Below each of these well-known default security groups are defined:
Administrators, a default active directory group has control over all domain controllers and associated data. Such groups can modify memberships of other Active Directory default groups such as Domain Admins, Enterprise Admins, and Schema Admins.
Backup operators are primarily responsible for backing up and restoring all files on a computer, irrespective of permissions concerning those files. Such active directory groups can’t be:
Backup operators can also backup and restore domain controllers. Memberships of Backup Operators Active Directory groups can be changed by the following ad group types:
Members of the Backup operator’s group do not have the ability to:
However, such group members do have the ability to replace files such as OS files on DCs.
Remote Desktop Users
Remote Desktop Users refers to a group designated to provide users and groups rights to initiate a remote session to an RD session host server. This group can’t be:
Remote Desktop Users appear as SID unless the following two conditions are met:
This group is added to the domain’s Administrators group. As a result, it inherits all the Administrators group’s capabilities. It’s also assigned to the local Administrators group of each domain member computer by default, allowing Domain Admins full control over all domain computers.
Enterprise admins Active Directory group has full access to all domain controllers and it is a member of the Administrators group. Moreover, it owns a directory configuration partition along with control for domain naming context.
This default Active Directory group controls and owns schema of Active Directory.
Uses of Built-In/Default Active Directory Groups
Such pre-defined groups in Active Directory can be used in the following two ways:
In default security groups within an Active Directory domain, users’ accounts are assigned certain privileges enabling them to follow perform tasks:
EXAMPLE: An example of such privileged access would be a group named Back up Operators, which would have access to backup files and folders across domain controllers within a specific domain. Hence, when you add a user to a group, the user inherits all the group’s user rights as well as all the group’s permissions for any shared resources.
Default groups can be found in the built-in container and the user’s container in Active Directory Users and Computers in the following way:
Movements of such groups within these containers are only limited to other groups or OUs (Organizational Units) within domains.
Changing Permissions on Built-In Administrator Groups
Objects within Active Directory employ security descriptors for controlling access. Security descriptors are primarily used to store information regarding permissions. A background process is initiated periodically to apply a security descriptor to protect groups such as administrative groups along with members within those groups. Any unauthorized attempt to edit such descriptors with respect to groups will be overwritten.
The AdminSDHolder object contains the security descriptor. If we are looking to change the permission on any of the administrator’s groups, it is considered important that we change the security descriptors on AdminSDHolder. However, it is also essential to be cautious while making those changes since we are modifying settings across protected administrators’ accounts.
Creating a Group with ADUC
Specify the below values in New Object – Group Menu:
Click OK to create the group
Creating a Group with ADAC
Following option can be utilized to open ADAC (Active Directory Administration Centre):
Active Directory Users and Computers can be opened by following options:
Select New -> Group from the menu, after you Right Click on the Domain Name.
Specify the below values in New Object – Group Menu:
Click OK to create the group
Creating a Group Using Command Prompt
Cmd.exe command can be used to create groups in Active Directory. Following the example of command use to create groups in active directory:
dsadd.exe group "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local"
Creating a Group Using Windows PowerShell
Powershell cmdlets can be used to create groups in Powershell. Following is the examples of Powershell Command lets used to create groups in Active Directory:
New-ADGroup -GroupCategory Security -GroupScope Global -Name "HelpDesk" -Path "OU=OfficeCorp,DC=office,DC=local" -SamAccountName "ITGroup
Read more: Active Directory & Azure AD Groups Management
FAQs on Group Scopes in Active Directory
What are group scopes in Active Directory?
Group scopes refers to the extent to which a group can be used with in an active directory domain or a forest
How many types of group scopes are there in Active Directory?
Following are three types of group scopes within active directory:
What are primary differences between universal, global and domain local group scopes in active directory?
GroupID by Imanami offers a suite of solutions that empowers IT professionals to manage groups, users, and entitlements effectively and automatically. Learn more about the suite of solutions under GroupID.
5 12 votes
Jonathan BlackwellView Profile
Since 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.
What should an ad group be?
An ad group contains one or more ads that share similar targets. You set a bid, or price, to be used when an ad group's keywords trigger an ad to appear. This is called a cost-per-click (CPC) bid. You can also set prices for individual keywords within the ad group.
How do I write an ad group?
Add individual ad groups.
In the type list, select Ad groups..
In the toolbar, select Add ad group..
If prompted, select the destination campaign and click OK..
Enter the ad group name and one or more bids. Optional: Specify the ad group type. A newly created ad group's type is set to Default. Learn more about ad groups..
What is the difference between an ad group and a campaign?
The biggest difference is that ad groups are one level below campaigns in the account hierarchy. Campaigns directly control the goal and budget, while ad groups oversee the bids/CPC, audience/targeting, placement, and delivery options chosen to capture the audience.
What is a standard ad group?
Moving forward, standard ad groups can only contain text ads, call-only ads, and keywords. Dynamic ad groups can only contain Dynamic Search Ads and dynamic ad targets.