2. Group Types
• When defining a group, need to consider its type.
• This will dictate what it can and cannot do (i.e. security and
permissions of group).
• Four basic types of groups:
• Distribution groups
Network Design & Administration
• Security groups
• Application basic groups
• LDAP query groups
• Administrators mostly use security groups to specify what
permissions the group has when interacting with a resource.
• Distribution groups are used when limited access to a
resource is required (e.g. used extensively in MS Exchange
Server for sending emails to groups) 2
3. Groups Scope
• Groups have a Scope.
• Depending on its scope, a group can be assigned permissions
to different extents in the domain structure.
• There are three types of scope:
• Domain Local
Network Design & Administration
• Global
• Universal
• Group scope is affected by the Functional Level of the domain
in which it exists.
• The functional level of a domain is dictated by the lowest
version of windows server running as a domain controller
within the domain.
• This can also dictate the functional level of a forest. 3
4. Domain Functional Levels[1]
• Limits what functionality domain controllers offer within the domain.
• All functional levels provide the default Active Directory Domain
Services feature set plus additional features depending on the operating
system.
Functional Level Features[1]
Windows 2000 Native Universal groups enabled for distribution and
Network Design & Administration
security groups; group nesting; group
conversion; SID history.
Windows Server 2003 Domain rename; last logon timestamp;
password setting on inetOrgPerson / User
objects; redirect users/computers containers;
authorisation manager policies; constrained
delegation; selective authorisation.
Windows Server 2008 Distributed File System replication of SYSVOL;
Advanced Encryption Services for Kerberos;
interactive logon info; fine-grained password 4
policies
Windows Server 2008 R2 Active Directory domain recycle bin.
5. Forest Functional Levels[1]
• Functional levels impact the forest functional level.
• Each Server version adds more features to basic forest
functionality.
Forest Functional Level Features[1]
Network Design & Administration
Windows 2000 Default AD feature set
Windows Server 2003 Forest trust; domain rename; linked value
replication; Read-only domain controllers
(RODC); improved knowledge consistency
checker; dynamic objects;
deactivation/redefinition of attributes and
classes in schema.
Windows Server 2008 No additional forest level features; will default
to a Server 2008 FL instead of a 2003 FL. 5
Windows Server 2008 R2
6. Group Scope Revisited![2]
• Scope can be domain local, global, or universal.
Group Scope Group Membership Can Include[2] Can be used to [2]
Domain Local User accounts from any domain in the Assign access to resources
forest; global groups or universal groups only in the local domain; on
from any domain in the forest; user all servers in domain
Network Design & Administration
accounts or global or universal groups running Windows Server
from any domain in trusted forest; 2000/2003/2008.
nested domain local groups from the
local domain.
Global User accounts from the domain where Assign access to resources in
the group is created; nested global all domains in forest or
groups from the local domain. between trusted forests;
member servers running
Windows Server.
Universal User accounts from any domain in Assign access to resources in 6
forest; global groups from any domain all domains in forest or
in forest; nested universal groups from between trusted forests; on
any domain in forest. all servers running 2000 +
7. Why?
• Allows different groups different degrees of
permission when included within each other.
• Different sorts of objects are allowed
membership of different group types (scopes)
Network Design & Administration
• Remember, this applies to security groups.
Distribution groups, as mentioned
previously, only relate to directory-aware
applications (e.g. MS Exchange)
• Since security groups can also be used as
distribution groups, often don’t bother with the 7
latter.
8. Domain Local Groups
• Available even in lower domain functional levels.
• Typically assigned permissions to resources. (e.g. shared
folder or printer)
• Then allows easier group nesting
Network Design & Administration
• Can also be used to group users from the same domain
needing the same permissions to access a resource in the
same domain.
• Can only be used to assign permissions to resources in
the domain in which they were created (the meaning of
domain local!)
• See table for permitted membership. 8
9. Global groups
• Often used to gather users or computers together in the
same domain with same role or function, or requiring
similar access requirements.
• Can only include members from within their own domain
Network Design & Administration
(including other global groups from the same domain).
• Can be granted permissions for resources in any domain
in the forest and in trusted domains in other forests.
• Not replicated outside of their own domain – using them
minimises replication traffic to the global catalogue.
• Use these for objects that require frequent maintenance.
(e.g. user or computer accounts) 9
10. Universal groups
• Used mainly to grant access to related resources in
multiple domains.
• e.g. if executives need access to printers throughout the network.
• Mainly used to consolidate groups than span multiple
Network Design & Administration
domains – unnecessary in single-domain networks.
• Best practice:
• Create global group in each domain for user or computer
accounts, then universal group contains the global groups.
• Avoids too much replication traffic, since universal group
membership changes infrequently.
10
11. Global & Domain Local Groups
- Planning
1. Create domain local groups for shared resources
(e.g. A group for a set of colour printers)
2. Assign resource permissions to domain local
group (e.g. Whatever permissions needed to use
Network Design & Administration
printers)
3. Create Global groups for users with common
roles (e.g. Accounts or Sales)
4. Add global groups into appropriate domain local
groups (e.g. To give Sales access to the specialist
11
printers)
12. Permissions
• A privilege granted to a user, group or computer
to perform a particular action or access a
particular resource.
• Windows Server 2008 has many different sorts
Network Design & Administration
of permissions – most visible are:
• File-system – access to files & folders under NTFS.
• Share – access to file system and printer shares.
• AD – access to Active Directory objects.
• Registry – access to registry keys.
12
• They are all separate/different!
13. Access Control Lists (ACL)
• An Access Control List is associated to an object being accessed, not
the object accessing it.
• Lists all permissions that can access that object. (e.g. users, groups,
etc.)
• Also lists what operations can be done to the object.
Network Design & Administration
• List made out of Access Control Entries (ACE’s) (i.e. the name of the
security principle and the permissions it has been granted)
• Example:
/home/cmp3robinj/
[ACL] Access Control Entry
(cmp3robinj, read)
(cmp3robinj, write)
(cmp3robinj, create)
(cmp3robinj, delete)
13
(admins, read)
(admins, write)
14. NTFS Permissions
• Mostly can use Standard permissions for NTFS files
and folders:
• Read, Read & Execute, Write, Modify, List Folder
Contents, Full Control
Network Design & Administration
• Occasionally need to set up more fine-grained, using
the 14 NTFS Special Permissions.
• The Standard permissions are just a convenient
grouping into most frequently used sets.
• There are slight differences when permissions are
applied to a file rather than a folder (and List Folder
14
Contents is obviously not applicable to files!)
15. Example Permissions
Creator Owner is a ‘Special
Network Design & Administration
User’. Will discuss again
later.
Permissions can be
explicitly Allowed or
Denied.
Note: list in this case gives
Users Read & Execute, List 15
folder contents and read
permissions only.
16. Access to Special Permissions
Note that permissions
can be inherited from
higher folders (not
applicable when it’s c: )
Network Design & Administration
To make more detailed
changes, need to edit
an individual ACE.
16
17. Example Permissions Breakdown
“Read & Execute” is composed of:
List Folder/Read Data
Read Attributes
Network Design & Administration
Read Extended Attributes
Read Permissions
Synchronise
Traverse Folder/Execute File
Lets security principals move through Without this, get “Read”
Standard Permissions. 17
inaccessible folders to reach folders /
files they are allowed to access.
18. Inheritance Rules for
Permissions
• By default, subordinate objects inherit
permissions possessed by parent.
• e.g. if user is granted permission to root of
Network Design & Administration
a drive, they have same permission on all
files and subfolders.
• Can counteract inheritance by either:
• Turning off inheritance – when working with
special permissions.
• Deny permissions explicitly. 18
19. Precedence Rules for Permissions
• Allowed permissions are cumulative:
• All of the permissions of a security principal
combine to give the Effective Permissions.
• Denied permissions override Allowed
Network Design & Administration
permissions:
• Explicitly denying permissions overrides Allowed
from any other source.
• Explicit permissions take precedence over
inherited permissions
19
• So explicitly Allowed override inherited Denied.
20. Permissions can get complicated!
• As a result, depending on a user’s group membership
and any permissions given explicitly to that user, get
combination of all of them!
• Not directly shown in Properties window since it shows
Network Design & Administration
separate groups etc.
• e.g. User cmp3robinj is granted Allow Read & Execute
on folder ModuleSpecs. But cmp3robinj is also
member of the Lecturers group, which has been
granted Allow Full Control and the Everyone group,
granted Allow Read.
• Therefore, cmp3robinj has effective permission of 20
Allow Full Control on this folder.
• Need to use Effective Permissions view.
21. Effective Permissions
Checking on a single
folder or file to
determine a particular
user’s permissions.
Network Design & Administration
Only takes account of
NTFS interactions. Does
not include effects of
Share Permissions or
login method.
21
Read-only!
22. Next time & References
• Further different sorts of permissions – including file shares.
[1] Windows Server 2008 Active Directory Resource Kit, page 181-
Network Design & Administration
[2] Windows Server 2008 Active Directory Resource Kit, page 368-
369
22