Group Accounts in Windows Server Machines

The group is a collection of other objects like user, printer, other groups and acts as a single container.

Advantages with group accounts are, we can apply security settings on multiple objects at a time.

 

To Create Group Account

⇒ Open Active Directory Users and ComputerRight Click on DCNewSelect Group

 

group account1

 

Enter the Required details and select Group type→Click on OK

 

group account2

 

Adding a New User to Group Account

Go to the Group properties→Members tab→Add.

In search box type part of the username which you want to add it to the group and click on Check Names.

Once it searches name just Click on OK to add.

 

group account3

 

group account4

 

SID & GUID in Active Directory

SID: Every object in the Active Directory is given SID. Like computer, user, group, printer, etc…so that Authentication can be easily performed.

GUID: GUID also is given to the objects in the active directory. When a new object is formed SID and GUID will be assigned but GUID will be unique in the AD.

 

For example, if a user is moved from the domain SID will change but GUID will not change.

SIDGUID
GUID is unique in the entire forestSID is unique in the domain
GUID Does not change if the object moves from one domain to another.SID will change every time if an object moves from one location from another location.
GUID is published in the Global CatalogSID Will not publish anywhere
GUID makes it easier to locate an object in the entire forest.SID will locate within the Domain only
GUID also having the information and permission about users, groups, and Computers.SID has the information and Permissions of users, computers, and groups

 

group account5

 

Types of Group Accounts in Active Directory

There are two types of Groups in active directory.

1) Security

2) Distribution 

Security accounts are used for setting the permissions on the objects. Like, who can print data.

Distribution account is used for e-mail purpose only. It does not provide security.

 

Group Scope

It Identifies the extent of the group within in a domain or a forest.

  • Domain Local Group: All built-in class groups.

  • Global Groups: Domain user, domain admins, domain guests, domain computers.

  • Universal groups: Schema admins, enterprise administrators.

 

Domain Local Groups:

DLG pertains to the domain and it is a powerful group used for setting permissions. a DLG can contain users, global groups.

DLG used for setting permission on resources.

  • Global Groups: Used for organizing the users.

  • Universal Groups: Used for or organizing the users, groups from more than one domain.

 

Understanding Group Account Properties

General: In this tab, we can identify the some of the group accounts. Like Group name, Description, Email, Group Scope.

Member: This will have all users added to this group, like other the active directory objects (users, computers, contacts, printers)

Member of – Shows the group’s information on which this group added as a member.

Managed by will have the Manager of the group who will have the complete access to this group.

 

group account6

 

Local Security Authority

LSA is a security subsystem. It is responsible for all the users’ authentication and authorization services on the local computer.

For example, a user logged on to the domain controller using his/her username and password,

If it is a valid user then, it means the authentication process is successful,

Then the LSA on the Computer creates a token.This token contains details like, “user is belonging to which group, and a SID for that user and SID for that Group and also includes the permissions assigned by Local security Policy (LSA) to the user and groups”. The entire LSA Process called “Token Evaluation”.

 

Topics Summary