Active Directory Security dot com

Complete Coverage of Delegation, Security Audit & Compliance Reporting in Active Directory

Brought to you by former Microsoft Program Manager for Active Directory Security
REFERENCE GUIDANCE REPORTING
Reference | Top-20 D | Risks | FAQ Delegate | Verify | Assess | Audit | Report | Comply Reports Free Tools
Security Model
Security Descriptors
Security Groups
Security Permissions
Property Sets
Extended Rights
Validated Writes
Visibility Modes
SDDL
LDAP Filters
Deleted Objects
True Last Logon

Active Directory Security Groups

Security groups allow the aggregation of users for the purpose of simplifying the provisioning of access across an IT infrastructure. In addition, in Windows they can also be used to filter group policy settings.



Group Usage

Administrators can collect a large number of users, computers, and other security groups into a security group and grant appropriate permissions on various IT resources (such as files, folders, Active Directory objects etc.) to the security group, thereby being able to collectively provision access for all members of this security group.



Group Scopes

The notion of a scope is integral to the use of security groups. A group's scope determines the extent to which the group can be nested in other groups or specified in DACLs on resources in an Active Directory domain or forest.

In a Windows Server based IT infrastructure running on Active Directory, a security group can have one of following four scopes, and the use of these security groups for provisioning access is subject to the following scope and membership restrictions –

  1. Builtin security groups are commonly referred to as Builtin Local security groups because they can only be used to grant access on resources that are local to that machine, and can include as members, security principals (users, computers and security groups) from any domain in the forest.

  2. Domain Local security groups can be used to grant access to any resource on any computer joined to the Active Directory domain to which the security group belongs, and can only include as members, security principals (users, computers and security groups) from any domain in the forest to which the security group belongs.

  3. Global security groups can be used to grant access to any resource on any computer joined to any Active Directory domain in the forest to which the security group belongs, but can only include as members, security principals (users, computers and security groups) from the domain to which the security group belongs.

  4. Universal security groups can be used to grant access to any resource on any computer joined to any Active Directory domain in the forest to which the security group belongs, and can include as members, security principals (users, computers and security groups) from any domain in the forest.



Viewing Group Memberships

It is a good security practice to frequently review group memberships because groups are so used to provision access to multiple IT resources and because effective group memberships can frequently change, especially if they are managed by multiple administrators.

There are numerous ways to view the group membership of Active Directory groups –

  1. You can use Microsoft's Active Directory Users and Computers Snap-in

  2. You can script LDAP queries to generate group membership reports

  3. You can use a free Microsoft-endorsed Active Directory reporting tool


NOTE: The details of transitive group membership evaluation are currently outside the scope of this website.



Generating Group Membership Reports

IT administrators are often tasked with generating group membership reports, either for internal audits or to demonstrate regulatory compliance. In certain cases, direct group membership reports suffice, and in other cases, there may be a need to determine and include transitive group memberships.

When enumerating Active Directory security group memberships, because of the way that group memberships are represented in Active Directory's underlying database, when enumerating the membership of a group that could have a universal group as a member, IT admins should ensure that group membership queries for such a group are targeted at a domain controller that belongs to the group's domain and that is also a Global Catalog.

To generate an accurate report that documents the membership of a security group, you can –

  1. Write a script that correctly queries Active Directory and print's a membership report

  2. Use a free and automated Active Directory reporting tool to generate group membership reports


NOTE: The details of transitive group membership evaluation are currently outside the scope of this website.



Identifying Group Usage

It is also equally important to frequently review where all a security group is being used to protect IT resources, both on network shares and in the Active Directory itself. Periodically reviewing the use of security groups on Active Directory objects is in fact very important because Active Directory is the focal point of administrative delegation in Windows Server based IT infrastructures.

To identify where all a security group might be in used in Active Directory, you can –

  1. Write scripts that query Active Directory and report group membership usage

  2. Use a free or licensable 3rd party Active Directory reporting tool
                 What if you could list group memberships and find nested groups in Active Directory, for FREE?

You can, with the Gold Finger Active Directory Reporting Tool           Download your Free copy          
< About Copyright ActiveDirSec.Com 2008 – 2010. All Rights Reserved Disclaimer >