Welcome to the next free video for the free
Active Directory training course. This video looks at how groups work in Active Directory.
In a changing environment people come and go and roles change as companies restructure
and people get promoted. Groups allow the administrator to assign permissions once to
a resource and easily change who has access to that resource by changing the members in
the group. Consider if you created a file share called
invoice. Without groups you would need to assign the users directly to the share. With
only a few users it is not that hard to manage, but once you add a few more users it starts
to get more complex. At present, each time you want to give a new user access you need
to modify the permissions on the server. This requires the administrator that is making
the change to know the name of the share and the server on which it is located.
Now consider that you have multiple offices around the country and each office has a server
with an invoice share on it. Each time a new user requires access or access needs to be
removed, the permissions on each share on each server needs to be modified. This requires
the administrator to know every server that has an invoice share on it and requires them
to makes changes on each one. To make things simpler Active Directory allows
you to create groups. A group is like a user or computer account in that it has a security
identifier or Sid associated with it. It is possible to create a group without a security
identifier. These are mainly used with software like exchange to create e-mail distribution
groups. In the next video I will look at how these kinds of groups work. Once a group is
created it is added to the resource for which you want to control access, just like you
would with a user. In this example, imagine that the accounts
department requires access to the share. To achieve this you create a group called accounts
and give it read and write access to all the invoice shares.
The next point to consider is what would happen if another group of users needed access to
the share, for example the sales department. To achieve this, the sales group is created
and assigned permissions to all the invoice shares giving them read and write access.
In a small company this kind of administration works well and it is best when possible to
keep things simple. But let’s consider if the company is a lot bigger and there are
a lot more servers. It is a simple matter to visit each server and change the permissions
but the process of making the changes is starting to become time consuming. Also the process
requires the administrator to know all the servers that have the share on it and care
must be taken to ensure that every server is updated.
Let’s consider what would happen if the management decided that the sales department
did not require write access and only needed read access. This would require the administrator
to visit each server and change the permissions for the sales department. After a flood of
calls to the helpdesk for people in the sales department not being able to do their job,
it is decided that they really did need write access to the invoice share. Once again each
server needs to be visited again and the permissions changed back to what they were. Just after
this is done, a request comes through for a new auditing group that will require read
access to the invoice shares. Once again, each share needs to be modified and the permissions
updated. Weren’t groups supposed to make things easier?
There is no solution that will fit every situation and if you ask 10 different IT administrators
how to perform group management you would probably get 11 different answers. Let’s
start again with this example using a different approach.
This time instead of assigning the permissions of the share directly to the accounts department
you instead create a new group called invoice_modify. This group you assign to all the invoice shares
giving it read and write access. Next you simply need to add the accounts group to the
group invoice_modify group. Placing groups inside other groups like this is called nesting.
Once the request comes through for the sales department to have read and write access to
the invoice shares, you simply add the sales group to the invoice_modify group. Easy as
that, no need to visit each server again. When the request comes through to change the
sales group to read only, you create a new group called invoice_read. The invoice_read
group is assigned to all the invoice shares with read access. Once this is done, take
the sales group out of invoice_modify and put them in invoice_read.
When the request comes through to give the sales group write access to the invoice shares
again, all the hard work is already done. All that needs to be done is to move the sales
group from invoice_read to invoice_modify. Lastly, when the request comes through to
give the audit group read access, this is easy. Since the group invoice_read has already
been created and permissions assigned, the audit group is created and added to the invoice_read
group. You can see that using this approach makes
administration easier when changes occur. Also if someone were to ask who had access
to the invoice share, you simply need to look at which users are in the invoice_read and
invoice_modfy groups. Configuring access like this is called role
based access control. When using this approach permissions are granted based on the role
the user has in the organization. Users are not assigned permissions directly using this
approach. Using role based access control, a user acquires access through their role
in the organization. If the user were to change jobs or departments, the roles assigned to
that user would change to suit their needs. Using this approach an administrator can quickly
make these changes. The administrator also does not require knowledge of how the permissions
at the lower level are assigned. This approach has its advantages but also does
also add an extra level of complexity to your network. When deciding which approach to use
for groups, consider how big your network is and how complex it is. On a small network
it is generally not worth the time to create a lot of nested groups. On a large network
with a lot of servers, these extra groups will save you a lot of time. In a later video
I will discuss group strategy in more detail. When you start creating groups you should
spend some time considering the naming standard that you will use. In this case invoice_read
is quite simple but you could also have a group name such as “invoice share read.”
In this case I have used spaces rather than underscores. This will work just as well as
underscores but if the group is used in a script the group name will need to be enclosed
in quotes. This does make scripting more complex so a lot of administrators will avoid using
spaces. Also consider that if you have an e-mail system like exchange, these groups
can be used inside exchange as e-mail groups. For example, you could create a group called
NewYork_Sales and put all the sales users for New York into this group. If you want
to e-mail all the sales staff in New York you simply e-mail this group.
For each office you could add a group for those sales users in that office. These groups
could also be put into another group called USA_Sales. If you had an office in the UK
you could create a group called UK_Sales. Both these groups could be put into another
group called All_Sales_Employees. Since each location would know which employees belong
in their local sales group, a local administrator in each area would be the best choice to make
sure this group is kept up to date. With correct group management and forethought
you can make your administration a lot easier and save yourself a lot of headaches later
on. There are a number of different types of groups in Active Directory. Each group
has a different scope and thus there are advantages and disadvantages to using each type of group.
In the next video I will look at the different types of groups that Active Directory has
to offer and the scopes these groups have. The type of group that you select determines
which domain or domains will have access to that group and also the replication that will
be used for that group. Thanks for watching another free video in
this Active Directory free course. For the latest videos please subscribe to us on YouTube
or like us on facebook. See you next time.
