McAfee Secure

Creating and Maintaining Active Directory Objects - group accounts

Exam: Microsoft 70-640 - Windows Server 2008 Active Directory, Configuring

Automate Creation of Active Directory Accounts

Active Directory Group Accounts

Since the very early days of the Microsoft server operating system, groups have been used to make network permissions easier to administer. Groups are implemented to allow administrators to assign permissions to multiple users simultaneously. A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of permissions to network resources.

Group memberships act like memberships in a physical fitness center. Suppose the fitness center offers several different membership levels and associated privileges. For example, if you simply want to use the weight machines, treadmills, and stationary bicycles, you pay for a first-level membership. If you wish to use the swimming pool and spa privileges, you pay for the second level. You assume that when you purchase your membership level, you receive an access card that allows you to enter the parts of the building where these activities take place. This card contains a magnetic strip that is read at the door of the facility. If your card does not contain the appropriate permissions, access to that part of the building is denied. Similarly, all members who belong to a particular membership level receive the same benefits. The access card for your fitness center serves as proof that you have paid for certain usage privileges.

In Windows Server 2008, group membership functions in much the same way as the aforementioned health club membership. Logging on for the first time, a user gets an access token, which identifies their group membership and access level. The token verifies the user's identity and confirms their permissions to access resources, either local or network-based. By using groups, multiple users can be given the same permission level for resources on the network. Suppose, for example, that you have 25 users in the graphics department of your company who need access to print to a color printer. Either you can assign each user the appropriate printing permissions for the printer, or you can create a group containing the 25 users and assign the appropriate permissions to the group. By using a group object to access a resource, you have accomplished the following:

  • Users who need access to the printer can simply be added to the group. Once added, the user receives all permissions assigned to this group. Similarly, you can remove users from the group when you no longer wish to allow them access to the printer
  • The users' level of access for the printer needs to be changed only once for all users. Changing the group's permissions changes the permission level for all group members. Without the group, all 25 user accounts would need to be modified individually.

A user can belong to more than one group. Moreover, the groups can contain other Active Directory objects, including computers and groups. The latter is called group nesting. This term covers the configuration of groups within another, bigger, group. For example, consider a company that has two groups: marketing and graphic design. A group object is created for both groups, and each group object contains the users in their respective department. Graphic design group members have access to a high-resolution color laser printer that the marketing group personnel use. To simplify the assignment of permissions for the color laser printer to the marketing group, the marketing group object could simply be added as a member of the graphic design group. This would give the marketing group members the same permission to the color laser printer as the members of the graphic design group. When you added the marketing group to the graphic design group, the users who were members of the marketing group also became members of the graphic design group by way of nested membership.

When configuring groups on a Windows Server 2008 network, be aware of two defining characteristics: group type and group scope. Group type defines how a group is to be used within Active Directory. Only two group types can be created and stored in the Active Directory database:

  • Distribution groups. Non security-related groups created for the distribution of information to one or more persons
  • Security groups. Security-related groups created for purposes of granting resource access permissions to multiple users

Active Directory-aware applications can use distribution groups for non security-related functions. For example, a distribution group might be created to allow an email application, such as Microsoft Exchange, to send messages to multiple users or allow a software distribution program, such as Microsoft System Center Configuration Manager 2007, to inform users of upcoming maintenance on their desktops. Only applications that are designed to work with Active Directory can make use of distribution groups in this manner.