The group is a collection of other objects like user, printer, other groups and acts as a single container.
Advantages with group accounts are, we can apply security settings on multiple objects at a time.
⇒ Open Active Directory Users and Computer→Right Click on DC→New→Select Group
⇒ Enter the Required details and select Group type→Click on OK
⇒ Go to the Group properties→Members tab→Add.
⇒ In search box type part of the username which you want to add it to the group and click on Check Names.
⇒ Once it searches name just Click on OK to add.
SID: Every object in the Active Directory is given SID. Like computer, user, group, printer, etc…so that Authentication can be easily performed.
GUID: GUID also is given to the objects in the active directory. When a new object is formed SID and GUID will be assigned but GUID will be unique in the AD.
For example, if a user is moved from the domain SID will change but GUID will not change.
|GUID is unique in the entire forest||SID is unique in the domain|
|GUID Does not change if the object moves from one domain to another.||SID will change every time if an object moves from one location from another location.|
|GUID is published in the Global Catalog||SID Will not publish anywhere|
|GUID makes it easier to locate an object in the entire forest.||SID will locate within the Domain only|
|GUID also having the information and permission about users, groups, and Computers.||SID has the information and Permissions of users, computers, and groups|
Types of Group Accounts in Active Directory
There are two types of Groups in active directory.
Security accounts are used for setting the permissions on the objects. Like, who can print data.
Distribution account is used for e-mail purpose only. It does not provide security.
It Identifies the extent of the group within in a domain or a forest.
Domain Local Groups:
DLG pertains to the domain and it is a powerful group used for setting permissions. a DLG can contain users, global groups.
DLG used for setting permission on resources.
General: In this tab, we can identify the some of the group accounts. Like Group name, Description, Email, Group Scope.
Member: This will have all users added to this group, like other the active directory objects (users, computers, contacts, printers)
Member of – Shows the group’s information on which this group added as a member.
Managed by will have the Manager of the group who will have the complete access to this group.
LSA is a security subsystem. It is responsible for all the users’ authentication and authorization services on the local computer.
For example, a user logged on to the domain controller using his/her username and password,
If it is a valid user then, it means the authentication process is successful,
Then the LSA on the Computer creates a token.This token contains details like, “user is belonging to which group, and a SID for that user and SID for that Group and also includes the permissions assigned by Local security Policy (LSA) to the user and groups”. The entire LSA Process called “Token Evaluation”.