The connectivity in today’s world has become the essence of life n living. A strong and a reliable network system works as the backbone of any organization.
The concept of networking covers everything from system configuration to their maintenance at different levels of the company. It also deals with the implementation of different strategies to maintain the security of the company resources (data, hardware, software) against unauthorized access. Hence one of the most important aspects is the process of authorizing and authenticating the users.
The process poses a concern when the number of employees in an organization is quite large. This is where Active Directory, a software technology from Microsoft eases the job of the administrator related to network administration. It operates efficiently regardless of the number of employees in the organization. It has special feature of organizing users in different and thereby assigning rights for hardware, software and data. These groups are further nested as the need in the organization.
This technology treats everything within an organization as an object. These objects are enclosed in a domain. Such one or more domains are treated as tree and a collection of such trees is called a forest that forms the outer boundary of Active Directory. The way these objects and domains need to be handled is decided by the grouping policy and the scope of the operating system supporting them.
Managing users on the network is not a simple task. The growing number of employees, various departments, different sites all these factors needs a thoughtful consideration while implementing the security policies across the network. Active Directory allows grouping of users and then assigning permissions for the resources, which means the permission assigned to the group will be applicable to the members of that group. Hence instead of taking care of an individual account now an entire group will be referred to as a single unit. There are two important points that needs to be remembered when creating a group.
Each group has its own scope and type. The scope defines the boundary of existence and the type determines whether they are used for granting permission to resources or simply to send mails. These groups can be nested; that is, making a group a member of another group.
Types of Groups
The groups that are referred to grant permission to access resources and perform functions as per their role in the company fall under this category. Their functions may be limited to a particular domain or may extend across a domain or even forest at times.
Another group that has the responsibility of sending mails across the network to different user groups is the Distribution Group. These groups don’t have the access rights for network resources.
Apart from this, the scope defines the principles that decide who all will be the members of the group and which other groups may be nested within them.
They consist of user from the domain in which they exists. They assign the permission to objects/ resources in any domain in the forest or trusting domains in other forests. At times and/or delegate authority to the objects. For example, this group can consist of list of Sales employees or managers from Administrative wing.
They are useful for granting permission to any object in the forest and hence consist of users from any domain. This group is used during nesting of groups. Also any changes made in this group increases replication. For example, this group may list the name of all managers and thereby allowing nesting of global group within this group. Under “Managers List”, it may contain the group of ‘Finance managers’- a global group.
Domain Local Group
They consist of objects, global and universal groups belonging to other domains and assign permission for resources belonging to same domain where domain local group is present. This way all global groups that need to share the same resources can be placed in one domain local group. For example, this group can be used for keeping a full control on Finance data
They contain members from any groups present in other domains and forests. However, when it comes to accessing the resources the permission is assigned to the groups present on that machine only.
The following table defines how users can be organized in different groups and their characteristics as per Windows scope.
Nesting of Groups
Nesting of groups is a concept within which a group can be added as a member under another group. A domain local group does not support group nesting whereas it is best applicable in Universal Group. In case of global groups, one global group can be added under another global group from any domain. Also the members of one global group can be members of a domain – local group.
Derek Melber (2006) describes nesting process in the following manner:
“Users go into Global Groups, Global Groups go into Domain Local Groups, and Domain Local Groups are listed on the Access Control List (ACL) of the resource.” (Derek Melber, 2006)
For Universal Groups, the following rule is applicable:
“Users go into Global Groups, Global Groups go into Universal Groups, Universal Groups go into Domain Local Groups, and Domain Local Groups are listed on the Access Control List (ACL) of the resource.” (Derek Melber, 2006)
Nesting is effective when it is limited to a single level. With increase in levels of nesting the complexity increases for tracking permission.
Just like groups there is another term called Organizational Units (OU). The group eases the management in a logical way whereas OU is related to physical application of the administrative rules.
As seen in the plan discussed above that the concept of organizing users in groups eases the administration work. Active Directory provides certain built-in groups as well. These groups have pre-defined functions, rights and permission to perform tasks. Hence it is learnt that the user groups are created based on the task they perform or the resource they may need to access. This rule helps in further designing the nesting strategies and thereby aids in managing the network effectively and efficiently.
Microsoft TechNet, Windows 2000 Server Library, Active Directory Users, Computers, and Groups from http://technet.microsoft.com/en-us/library/bb727067.aspx
Microsoft Official course, 2273B: Managing and Maintaining a Microsoft Windows Server 2003 Environment, (2005), Module 3: Managing groups (Part number: X11-48300,pp.1-12, 29).
Droubi Omar, Gardinier Kenton, Morimoto Rand, Noel Michael (2003) Groups in an Active Directory Environment http://www.informit.com/articles/article.aspx?p=31748&seqNum=7
Group Type and Scope Usage in Windows, October 2006 from http://support.microsoft.com/kb/231273
IBM (2010), Groups spanning domains with Microsoft Active Directory from
Melber Derek 2006, Authentication, Access Control & Encryption, How to Nest Users and Groups for Permissions from http://www.windowsecurity.com/articles/How-Nest-Users-Groups-Permissions.html