NIST's guidance for a Zero Trust Architecture

Active Directory Objects

Active Directory Group Objects Management

As the self-explanatory name suggests, this object is meant to represent a group. In AD, a group is an object which can contain a collection of users, or computers, or contacts, or even other groups as members .It simplifies administrative burden.

For example say in an organization 100 employees need to be given access to a printer, the system administrator, instead of assigning permission to each user (which will be time consuming and hectic), can put them in a group and assign permission to the group.

In AD we have different type of groups and group scopes.

Group Types

Group type categorizes groups based on the type of task managed within the group. There are 2 types of groups in AD. They are security group and distribution group. Security groups are created in order to control permissions for access of resources. Distribution groups are used for sending email messages to groups of users.

Group Scopes

The group scope in AD defines the extent to which a group can be applied in a forest. Group scopes are of three types in AD.

Domain local – Groups with this scope have domain wide access. These groups can have the following as members: user and computer accounts, global groups and universal groups from any domain.
Domain local groups can be implemented in managing resources within a domain.

Global – This group can have these as members: accounts or global groups from same domain as parent global group.

Global groups can be implemented in managing objects that undergo frequent changes, as changes made in global group objects are not replicated outside the domain. Hence replication traffic can be controlled.

Universal – Membership for this group is open to accounts, global groups and other universal groups across the forest in which the universal group resides, and access will be granted to resources in trusted domains.

Universal groups can be used in scenarios where users across multiple domains have to be consolidated within the same group.

To create a group object in Active Directory

  • Start -> administrative tools -> Active Directory users and computers console
  • Right click on the console tree
  • From the menu that pops choose the option “new”
  • On choosing the option “new” another menu pops with a list of objects; from that choose “group”
  • An object creation wizard appears as shown in the figure below, enter a name for the group and choose a scope type
  • After you have configured, click OK
  • On clicking OK the object will be created and can be located on the ADUC console tree in its respective container.
Active Directory Group Objects

To delete a group object in AD

  • Open ADUC
  • Right click on the object you intend to delete
  • From the submenu that pops choose the option “delete”
  • The object will be deleted from Active Directory and will no more appear on the console tree.

To modify a group object in AD

  • Open ADUC and right click on the group object you intend to modify
  • From the shortcut menu that pops choose the option “properties”
  • A group object properties dialogue box appears with various tabs
  • Navigate through the various tabs and make the necessary changes
  • Click apply and then ok
  • The modifications will hence be made.

Mandatory attributes

Every object has a set of mandatory and optional attributes. The values for the mandatory attributes are a mandatory requirement for the successful creation of the object. For example the mandatory attributes for a group object are groupType, cn, objectCategory, objectclass, and sAMAccountName; the cn and sAMAccountName attributes are unique across a domain and are used to uniquely identify the object across the domain.

To view the mandatory attributes of the group object

  • Right click on the group object in the ADUC console
  • A dialogue box appears; from that choose the attribute editor tab
  • In the attribute editor tab click on the filter button
  • On clicking on the filter button a submenu with list of attribute types pops up
  • From the menu choose mandatory
  • The mandatory attributes of group object cn, objectCategory, objectclass, SAMAccountName and their values are hence displayed.

The group object properties dialogue box can be used to make changes or add more property values to the group object. To open the group object properties dialogue box right click on the group object and choose “properties”. The various attributes are categorized under different tabs based on their functionalities.

Related posts
Active Directory Objects

Active Directory User properties – General tab

Active Directory Objects

AD computer object security tab

Active Directory Objects

Active Directory Computer Delegation tab

Active Directory Objects

Active Directory Computer Objects Tabs

Leave a Reply

Your email address will not be published. Required fields are marked *