Administering Groups in an Enterprise

Previous lessons prepared you to perform daily administrative tasks related to groups in Active Directory. You have learned to create, modify, and delete groups, using a variety of tools and procedures. This lesson rounds out your exploration of groups by preparing you to take advantage of useful group attributes for documenting groups, to delegate the management of group membership to specific administrative teams or individuals, and to break away from reliance on some of the Active Directory and Windows default groups.

Use the buttons below to navigate through the lesson

In the Active Directory Users And Computers snap-in, click the View menu and make sure that Advanced Features is selected. In Active Directory Users and Computers select View menu and select Advanced Features. The properties of a Group – to access right click the group and select Properties.

Summarize a group’s purpose with its description attribute. Because the Description column is enabled by default in the details pane of the Active Directory Users and Computers snap-in, the group’s purpose can be highly visible to administrators.

Detail a group’s purpose in its Notes When you open a group’s Properties dialog box, the Notes field, at the bottom of the General tab, can be used to document the group’s purpose.

Deleting a group has a high impact on administrators and, potentially, on security. Consider a group that has been used to manage access to resources.

If the group is deleted, access to that resource is changed. Either users who should be able to access the resource are suddenly prevented from access, creating a denial-of-service scenario, or if you had used the group to deny access to a resource with a Deny permission, inappropriate access to the resource becomes possible.

Protect yourself from the potentially devastating results of group object deletion by protecting each group you create from deletion. Windows Server 2008 makes it easy to protect any object from accidental deletion.

Select the Object tab and tick the Protect object from accidental deletion box. The Protect Object From Accidental Deletion option applies an access control entry (ACE) to the ACL of the object that explicitly denies the Everyone group both the Delete permission and the Delete Subtree permission. If you really do want to delete the group, you can return to the Object tab of the Properties dialog box and clear the Protect Object From Accidental Deletion check box. click OK. This is one of the few places in Windows where you actually have to click OK. Clicking Apply does not modify the ACL based on your selection.

Delegating Membership Management with the Managed By Tab

The easiest way to delegate membership management of a single group is to use the Managed By tab, which serves two purposes.

First it provides contact information related to the manager of a group. You can use this information to contact the business owner of a group to obtain approval prior to adding a user to the group.

The second purpose served by the Managed By tab is to manage the delegation of the member attribute. Note the check box, labeled Manager Can Update Membership List.

When selected, the user or group shown in the Name box is given the WriteMember permission. If you change or clear the manager, the appropriate change is made to the group’s ACL. Select the Managed by tab of the group’s properties box, click Change. Select the User and click OK.

Ensure the Manager can update membership list checkbox is ticked and click OK.

Delegating Membership Management Using Advanced Security Settings

You can use the Advanced Security Settings dialog box to assign the Allow Write Member permission directly. You can assign the permission for an individual group or for all the groups in an OU. In Active Directory Users and Computers select View menu and select Advanced Features. In Active Directory Users and Computers select View menu and select Advanced Features.

Delegating Membership for an individual group Using Advanced Security Settings

Right click the group and select Properties. Then select the Security tab. Click Advanced. Click Add. Select the user or group and click OK. In the Permissions entry box select Properties, ensure that Apply to This object and all descendant objects is selected. Scroll down the list and select read and write members then click OK.

Delegate the ability to manage membership for all groups in an OU

Right click the OU and select Properties. Select the Security tab and click Advanced. Click Add. Select User or Group and click OK. In the Permissions Entry box select Properties. ensure “Apply to Descendant Group” object. Select Read and Write members and click OK.

Shadow Groups

Most management of an enterprise is implemented with groups.
Groups are assigned permission to resources.
Groups can be used to filter the scope of Group Policy objects. Groups are assigned fine-grained password policies.
OUs, however, are not used as frequently to manage the enterprise, and in some cases, they cannot be used. For instance, OUs cannot be ;-
assigned permissions to resources,
nor can they be assigned fine-grained password policies (discussed later in the course)

Instead, the primary purpose of an OU is to provide a scope of management for the delegation of administrative permissions for the objects in that OU.
OUs are administrative containers.

Sometimes, you might want to manage using an OU when it is not possible. For example, you might want to give all users in an OU access to a folder. Or you might want to assign a unique password policy to users in an OU. You cannot do so directly, but you can achieve your goal by creating what is called a shadow group. A shadow group is a group that contains the same users as an OU. More accurately, a shadow group contains users that meet a certain criteria.

The easiest way to create a shadow group is to firstly create the group; then, in the OU containing the users, press Ctrl + A to select all users. Right-click any selected user and choose Add To Group. Type the name of the group and click OK.

Select all users. Select Group and click OK. All the users have been added to the group. Click OK to complete. Unfortunately, Windows does not yet provide a way to maintain the membership of a shadow group dynamically. When you add or remove a user to or from the OU, you must also add or remove the user to or from the shadow group.
Tip On the 70-640 exam, be prepared to see the term shadow group in use. Know that it means a group that contains, as members, the users in an OU.