Tag Archives: Groups

Converting Groups and Deleting Groups

In one of my previous blog posts I explained about the different security groups we can have in domain environment. Each and every group have the scope and type. But in some situations you may need to change these scope and type.

To change the type of the group (security or distribution) all you need to do is open the group and select the new type you need then click ok.

gchange

But if you need to change the scope, it will only allow you to do the possible convert only. The following table describes the possible changes.

 

To Domain Local

To Global

To Universal

From Domain Local

N/A

Prohibited

Permitted only if it doesn’t have other domain local nested groups

From Global

Prohibited

N/A

Permitted only if it’s not member of another group

From Universal

Permitted

Permitted only if it’s doesn’t have other universal groups as members

N/A

Deleting Groups

Each group in AD DS is assigned with unique SID (Security Identifier). This SID is used by AD to identify the permissions associated with the group.

When we delete a group from the AD DS it only removes the SID and the permissions associated with the group. It doesn’t remove any member object of the group. Also this SID will not be able to reuse. If you create a group with same name as you deleted it will get a new SID and you need to assign the permissions again as you do for new object.

If you have any question about the post feel free to contact me on rebeladm@live.com

Active Directory Groups

I am sure every on who uses active directory heard about the groups. Even in stand-alone pc you can see set of groups. But it is important to know how these groups are working and what each type of groups really do.

In windows server 2012 have two types of groups in place.

Distributed Group – This is non-security related group and purpose of it to distribute information to a group of resources. These can use by AD aware applications for example, Microsoft Exchange to distribute email.

Security Group – This is security related group for granting access permissions to group of users in to resources. For example this group can use to assign permissions to a network share.

grp1

Group Scope

Apart from the group types we can define the boundaries for the groups. We can use it to current domain or extend to use different domains as well.

There are 3 types of group scope levels.

Domain Local

This group can have any of the following resources assigned.

•    User Accounts
•    Computer Accounts
•    Universal Groups
•    Domain Local groups from the same domain
•    Global Groups from the forest

This limits the group scope in to the same domain.

Global Group

This group can have any of the followings resources,

•    User Accounts
•    Computer Accounts
•    Other global groups from same domain

Using this you can use the group to assign permission to any resources in the forest. It can be either same domain or different domains. But the group membership are only replicated to domain controllers in same domain.

Universal Group

This can have the following resources

•    User accounts
•    Computer accounts
•    Other universal groups
•    Global Groups

This can use with any domain in the forest and also can use between trusted sites. Universal groups are stored in global catalog servers. So any changes to group membership will replicate to all GC servers in the forest.

grp2

Nested Groups

This is one of the nice features we can use for permission delegation. You can make a group in to member of another group. For ex- if you create a group for IT department it can be a member of “All Staff” user group.

If you have any questions about the post feel free to contact me on rebeladm@live.com

How to find Objects In AD, Part 1

This post is a first part of a set of articles which explains tools, techniques which can use to find objects with in active directory environment.

Active Directory holds many different kind of objects details. it contains info about users, groups, computers, organization units,resources etc. so there are occasions where we need to find specific objects with in the AD. if its a small environment it can be easily fine by even going through each and every object in AD. But in large environment there should be tools, techniques to help with the search.

There are many occasions you may need to search, find objects in AD.

Add members, users to groups – In AD environment you will need to add users or resources in to security/distribution groups. in such situations we will need to find users, resources as well as the group it needs to added.

Assigning Permissions – when we share folders, files or resources in active directory environment we will need to search for the users, groups we need permissions assigned to.

Link Objects – Objects such as groups are connecting objects together. so to assign the members it need to search for the relevant objects.

Use of Select Users, Contracts,Computers, or Group Snap in

This is one of tools use in AD to do the search of the objects. i will explain it with following example.

I do have setup a group in AD called "Sales Leads" and i need to add few users in AD to  the group. to do it just double click on the group and it will open the properties of the group. then go to "Members" tab. since i need to add new users i will click on "Add" button.

find1

It will open up the tool I were mentioned.

find2

we can simply change the selections of objects type by clicking on objects types button.

find3

and it will open the following, this indicated the default selection but if you need can add or remove the object types selections here.

find4

We also can change the location of the container by clicking on "Location" button.

find5

and here we can select the domain, OU where the search should runs with. by default its select the domain root.

find6

So to find objects, if you know part of the name of it, you can type it in "Enter the objects names to select" box and then click on check names. it will automatically search the name and select the object. you can add multiples values before hit on check names button.

find7

if you not sure names and need more deeper search option, you can click on advanced button which will give you lot of different options which can use for advanced object search.

find8

find9

once search is completed can click on OK button to move in to next steps on the task.

Use of "Find objects in Active Directory Domain Services" option

In active directory users and computers snap in there is option called "Find objects in Active Directory Domain Services" which can be use to search for the AD objects.

to use it can click on the icon as shows in the following screen.

find10

or else also can open it by right clicking domain root and click on "Find" option.

 

find11

It will open the dialog box, to work on the search.

find12

By using "Find : drop down" can select the objects type which will be use in search

find13

Using Browse button can select the container where the search will be run

find14

find15

Also clicking on "Advanced" tab in the dialog box will give more options to use for deeper search.

find16

This is the end of Part 1 of the article, and in next articles will look more in to tools and techniques which can use to find objects in AD environment.