Some organizations do not have a structured approach for Active Directory group management and are often faced...
with massive group proliferation. With this in mind, you can see why AD group documentation begins to be important.
Here is an example: Admin A creates an Active Directory group for a specific purpose and places users in this group. Admin B does not know about this group and -- just to be safe -- will create a new group for the same purpose.
One of the best ways to start a good group strategy in any network environment is never to assign permissions to individual users. Always assign permissions to groups instead. Why? Because you want to simplify your job. If you've assigned permissions to a group, all you need to do to assign them to another person is to add that person to that group — not perform the permissions assignment all over again.
But if you want this strategy to work, you'll need to have complete documentation of each of the groups created in your directory. If you do not have this documentation, now is a great time to create it.
Documentation should include different information, such as the party who is responsible for the group, a group description, the purpose of the group and so on. This information should be available to all administrative people at all times. If you add the documentation to the group itself, then it will be there.
Active Directory simplifies group management
With the arrival of Active Directory, group management has been simplified because the group object supports several new properties that can assist you in your Active Directory group management process: description, notes, managed by information and so on. These fields allow you to document your groups at the same time as you create them.
Windows Server 2003 supports two types of groups:
- Security groups — Can be used to assign access rights and permissions, as well as email addresses.
- Distribution groups — Not security enabled, can be used in conjunction with email applications or software distribution applications.
Windows Server 2003 supports several different group scopes that are determined by group location. The scope may be local, domain or forest. But the last two have an impact on group functionality. If you have a Windows Server forest in a full functional mode, there are three group scopes:
- Domain local groups — Include user and computer accounts, other domain local groups, global groups and universal groups.
- Global groups — Include accounts and other global groups from within the same domain.
- Universal groups — Include accounts, global groups, and universal groups from anywhere in the forest or even across forests if a trust exists. But, in actual fact, in Active Directory, you should only place users within global groups.
An Active Directory group management strategy is essential to the operation of an enterprise network. You can use the AGLP rule to create and manage groups in AD. AGLP means "Accounts go in Global groups, global groups go in Local groups, and local groups are assigned Permissions" (see Figure 1).
Figure 1: The new AGLP rule
Domain local groups
Note that domain local groups are seldom used in this strategy. They are local only to domains and should be used with alacrity. If you are assigning permissions to a directory object, then use a domain local group.
This is necessary only if you intend to also assign these permissions to universal groups. But when you assign permissions to a local object on an end point, such as a member server, you do not use a domain local group but rather a local group that is stored in the member server's Security Accounts Manager database. Then, place the appropriate global groups within this local group.
The AGLP strategy is based on the same idea as the group scopes:
In addition to those rules, you should rely on other guidelines to build a strong group management practice. All groups have to be standardized. They must include detailed descriptions and additional notes. Group managers should be identified for each group.
Global groups contain only users.
Local groups contain only other global or universal groups.
End-point permissions are assigned only to local groups. Directory permissions are assigned to domain local groups.
Universal groups contain only global groups.
Management staff should be trained to understand and use these rules, and to recognize that the purpose of each group should be verified on a regular basis. And finally, a group usage report tool should be in place to provide regular group content updates.
Using these AD group management rules and guidelines, you can build a strong group management strategy. This will help you avoid the proliferation of groups, which is one of the most common problems organizations who use Active Directory face on a regular basis. For example, one organization we ran into had more groups than users in its directory -- by a significant number.
Don't fall into that trap. Control your AD groups tightly and eliminate group proliferation once and for all.
Danielle Ruest and Nelson Ruest are IT professionals specializing in systems administration, migration planning, software management and architecture design. They have written several books and are currently working on the Definitive Guide to Vista Migration for Realtime Publishers as well as the Complete Reference to Windows Server Codenamed "Longhorn" for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.