Chapter 7. Groups

Introduction

A group is a simple concept that has been used in many different types of standalone and networked systems over the years. In generic terms, a group is just a collection of objects. Groups are often used to apply security in an efficient manner, where you create a collection of users and assign certain permissions or rights to that group, rather than to each individual user within the group. When applying security settings, it’s much easier to use a group than to use individual users, because you only need to apply the security setting once per group instead of once per user. In addition, groups are also frequently used to send email messages to an entire group of users at once rather than requiring the sender to address each person individually.

In Active Directory, groups are flexible objects that can contain virtually any other type of object as a member, although they’ll generally contain only users, inetOrgPersons, computers, and other groups. Active Directory groups can be used for many different purposes, including controlling access to resources, defining a filter for the application of group policies, and serving as an email distribution list.

The ways in which a group can be used in an Active Directory forest are defined by the group’s scope and type. The type of a group can be either security or distribution. Security groups can be used to grant or restrict access to Windows resources, whereas distribution groups can be used only as a simple grouping mechanism for sending email messages or for some other non-Windows security-related function. Both security and distribution groups can be used as email lists, but only security groups can be used to assign access to resources.

The scope of a group determines where members of the group can be located within the forest and where in the forest you can use the group in an ACL. The supported group scopes include universal, global, and domain local. Universal groups and domain local groups can have members that are part of any domain in the same forest (or, in the case of domain local groups, a separate forest if a cross-forest trust exists), whereas global groups can only have members that are part of the same domain that the group is contained in. When assigning permissions to group objects, universal and global groups can be assigned permissions to resources anywhere in the forest (or any trusted forest), whereas domain local groups can only be assigned permissions to resources in the same domain. (In this way, domain local and global groups are functional opposites of each other.)

The Anatomy of a Group

Groups are represented in Active Directory by group objects. Table 7-1 contains a list of some of the noteworthy attributes that are available on group objects.

Table 7-1. Attributes of group objects

Attribute

Description

cn

Relative distinguished name of group objects.

whenCreated

Timestamp of when the OU was created.

description

Text description of the group.

groupType

Flag containing the group scope and type. See Changing the Scope or Type of a Group for more information.

info

Additional notes about a group.

primaryGroupToken

Local RID for the group. This matches the primaryGroupID attribute that is set on user objects.

managedBy

DN of a user or group that is the owner of the group.

managedObjects

List of DNs of objects for which this group is listed in the managedBy attribute.

Member

List of DNs of members of the group.

memberOf

List of DNs of the groups this group is a member of.

whenChanged

Timestamp of when the OU was last modified.

sAMAccountName

Down-level account name for the group. Typically this is the same as the cn attribute.

wWWHomePage

URL of the home page for the group.

sAMAccountType

Describes the type of account that was created for an object, such as a domain object, a group object, a normal user account, and so on.

Creating a Group

Problem

You want to create a group.

Solution

Using a graphical user interface

  1. Open the Active Directory Administrative Center.

  2. In the left pane, click to highlight the desired domain.

  3. In the right pane, click New and then click Group.

  4. Enter the name of the group, enter the sAMAccountName, select the group scope (Domain local, Global, or Universal), and select the group type (Security or Distribution).

  5. Enter any other desired information into the optional fields and then click OK.

Using a command-line interface

In the following example, <GroupDN> should be replaced with the DN of the group to create, <GroupScope> should be l, g, or u for domain local, global, and universal groups, respectively, and -secgroup should be set to yes if the group is a security group or no otherwise. Another recommended option is to set -desc for specifying a group description:

> dsadd group "<GroupDN>" -scope <GroupScope> -secgrp yes|no -desc "<GroupDesc>"

You can also create a group object with admod, using the following syntax:

> admod -b "<GroupDN>" objectClass::group groupType::↵
"<GroupType>" sAMAccountName::"<Pre-Windows2000Name>" -add

For example, to create a global security group called “Finance Users” in the Finance OU of the adatum.com domain, you can use either of the following commands:

> dsadd group "cn=Finance Users,ou=Finance,dc=adatum,dc=com"-scope g -secgrp yes

> admod-b "cn=Finance Users,ou=Finance,dc=adatum,dc=com" groupType::-2147483646↵
sAMAccountName::"Finance Users" -add

In the case of AdMod, you must specify the numeric value for the group type, which can be any one of those listed in Table 7-2.

Table 7-2. Numeric values for group types

Group type

Numeric value

Universal Distribution Group

8

Universal Security Group

−2147483640

Domain Local Distribution Group

4

Domain Local Security Group

−2147483644

Global Distribution Group

2

Global Security Group

−2147483646

These values are defined in the ADS_GROUP_TYPE_ENUM enumeration; see Changing the Scope or Type of a Group for more information.

Note

If you omit the sAMAccountName attribute when creating the group, it will be automatically populated with a random string.

Using PowerShell

To create a group using PowerShell, run the following command:

New-ADGroup -Name "Finance Users" -SamAccountName FinanceUsers -GroupCategory Security -GroupScope Global -DisplayName "Finance Users" -Path "ou=Finance,dc=adatum,dc=com" -Description "Finance Department Users"

Discussion

In each solution, a group was created with no members. For more information on how to add and remove members, see Adding and Removing Members of a Group.

The groupType attribute contains a flag indicating both group scope and type. The available flag values are defined in the ADS_GROUP_TYPE_ENUM enumeration. Changing the Scope or Type of a Group contains more information on setting the group scopes and types.

Using a graphical user interface

The Active Directory Administrative Center is used to perform this solution. This allows you to completely configure the group during the creation process (whereas, if you used ADUC to create the group, you would have had to create the group and then go back into the properties to completely configure it).

See Also

Adding and Removing Members of a Group for adding and removing group members; “Understanding Group Accounts”; MSDN: ADS_ GROUP_TYPE_ENUM

Viewing the Permissions of a Group

Problem

You want to list the AD object permissions that have been assigned to a group object.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers (ADUC) snap-in (dsa.msc). Click on View and ensure that there is a checkmark next to Advanced Features.

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Enter the name of the group and click Find Now.

  5. Double-click on the group in the bottom results pane.

  6. Click on the Security tab. The users and groups that have been assigned permissions to the object are listed in the bottom pane; select each entry to view the permissions that have been assigned to it.

  7. Click on Advanced to view the owner of the group, as well as any auditing that has been configured.

Using a command-line interface

> dsacls "<GroupDN>"

You can also obtain this information using AdFind, as follows:

adfind -gcb -f name=<Group Name> ntsecuritydescriptor -sddl++ -resolvesids

Using PowerShell

If you have Exchange 2007 or later management tools installed on your workstation, you can retrieve DACL and SACL information using the following Exchange cmdlet:

Get-ADPermission -Identity <Group Name>

Discussion

In an Active Directory environment, you can set permissions on an object within the directory in much the same way that you can set NTFS permissions on files and folders. Each AD object has a Security Descriptor (SD) associated with it that is made up of a Discretionary Access Control List (DACL) that dictates which users and groups can access an object, and a System Access Control List (SACL) that controls which users’ or groups’ activities should be audited. The DACL and SACL are each made up of one or more Access Control Entries (ACEs), one for each user or group and its associated permission.

See Also

MSDN: Creating a DACL [Security]; MSDN: Order of ACEs in a DACL [Security]; MSDN: SACL Access Right [Security]; MSDN: Retrieving an Object’s SACL [Security]

Viewing the Direct Members of a Group

Problem

You want to view the direct members of a group.

Solution

Using a graphical user interface

  1. Open the Active Directory Administrative Center.

  2. In the right pane, enter the name of the group in the Global Search box, select the desired domain in the scope, and then click the search icon.

  3. In the search results, double-click the name of the group to open the group properties.

  4. Scroll down to the Members area to view the members.

Using a command-line interface

You can enumerate the direct members of a group using the built-in DSGet utility, or AdFind. Use the following DSGet syntax to view the members:

> dsget group "<GroupDN>" -members

To list group members with AdFind, use the following syntax:

> adfind -b "<GroupDN>" member

Using PowerShell

To enumerate the direct group membership of the Domain Admins group, run the following PowerShell command:

Get-ADGroupMember -Identity "Domain Admins" | Select Name

Discussion

The member attribute of a group object contains the distinguished names of the direct members of the group. By direct members, we mean the members that have been directly added to the group. This is in contrast to indirect group members, which are members of the group due to nested group membership. See Viewing the Nested Members of a Group for how to find the nested membership of a group.

The memberOf attribute is a backlink to member. This means that, for each group membership listed in a group’s member attribute, the DN of the group itself appears in that user/computer/group’s memberOf attribute. Think of it this way: if the FinanceUsers group has Jane as a member, then Jane is a member of the FinanceUsers group. In this way, Active Directory uses forward links and backlinks to maintain consistency between groups and their membership.

See Also

Viewing the Nested Members of a Group for viewing nested group membership

Viewing the Nested Members of a Group

Problem

You want to view the nested membership of a group.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in (dsa.msc).

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Enter the name of the group and click Find Now.

  5. Double-click on the group in the bottom results pane.

  6. Click the Members tab.

  7. Double-click on each group member to view its membership.

Using a command-line interface

> dsget group "<GroupDN>" -members -expand

You can also obtain this information using the joeware MemberOf utility:

> memberof -group <GroupDN>

Using PowerShell

The simplest method of listing nested group membership in PowerShell is to use the –recursive switch, as shown in the following command:

Get-ADGroupMember -Identity "Domain Admins" -recursive | Select Name

Discussion

As described in Viewing the Direct Members of a Group, group membership is stored in the multivalued member attribute on group objects. But the member attribute will not show the complete picture because of group nesting. To view the complete group membership, you have to recursively search through the group membership of each group. (The exception to this is the memberof command-line utility, which correctly displays primary group memberships.)

See Also

Viewing the Direct Members of a Group for viewing group membership; MSDN: IADsMember

Adding and Removing Members of a Group

Problem

You want to add or remove members of a group.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in (dsa.msc).

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Enter the name of the group and click Find Now.

  5. Double-click on the group in the bottom results pane.

  6. Click the Members tab.

  7. To remove a member, click on the member name, click the Remove button, click Yes, and click OK.

  8. To add a member, click on the Add button, enter the name of the member, and click OK twice.

Using a command-line interface

The -addmbr option in dsmod adds a member to a group:

> dsmod group "<GroupDN>" -addmbr "<MemberDN>"

To add a group member with admod, use the following syntax:

> admod -b "<GroupDN>" member:+:"<MemberDN>"

The -rmmbr option in dsmod removes a member from a group:

> dsmod group "<GroupDN>" -rmmbr "<MemberDN>"

To remove a group member with admod, use the following syntax:

> admod -b "<GroupDN>" member:-:"<MemberDN>"

The -chmbr option in dsmod replaces the complete membership list:

> dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN ... >"

To replace the membership of a group with admod, use the following command:

> admod -b "<GroupDN>" member:+-:"<Member1DN>;<Member2DN>;<Member3DN>"

Using PowerShell

To add and remove users from groups using PowerShell, use the following syntax:

Add-ADGroupMember -Identity "<GroupDN>" -Members "<UserDN>"
Remove-ADGroupMember -Identity "<GroupDN>" -Members "<UserDN>" -Confirm:$False

Discussion

Since there are no restrictions on what distinguished names you can put in the member attribute, you can essentially have any type of object as a member of a group. Although OUs are typically used to structure objects that share certain criteria, group objects can be used to create loose collections of objects.

The benefit of using group objects as a collection mechanism is that the same object can be a member of multiple groups, whereas an object can only be a part of a single OU. Another key difference is that you can assign permissions on resources to groups because they are considered security principals in Active Directory, whereas OUs are not.

See Also

Viewing the Direct Members of a Group for viewing group membership; MSDN: IADsGroup::Add; MSDN: IADsGroup::Remove

Moving a Group Within a Domain

Problem

You want to move a group to a different OU or container within the same domain.

Solution

Using a graphical user interface

  1. Open the Active Directory Administrative Center.

  2. In the right pane, enter the name of the group in the Global Search box, select the desired domain in the scope, and then click the search icon.

  3. In the search results, right-click the name of the group and then click Move.

  4. In the Move dialog box, browse to the desired destination container, click to highlight it, and then click OK to complete the move.

Using a command-line interface

To move an object to a new parent container within the same domain, you can use either DSMove or AdMod, as follows:

> dsmove "<GroupDN>" -newparent "<NewParentDN>"

or:

> admod -b "<GroupDN>" -move "<NewParentDN>"

Using PowerShell

To move a group with PowerShell, use the following syntax:

Move-ADObject -Identity "<GroupDN>" -TargetPath "<New OU DN>"

Discussion

Using a command-line interface

The DSMove utility can work against any type of object, including groups. The first parameter is the DN of the group that you want to move. The second parameter is the new parent container of the group. The -s parameter can additionally be used to designate a specific server to work against.

See Also

Moving an Object to a Different OU or Container for moving an object to a different OU; Moving an Object to a Different Domain for moving an object to a different domain; Changing the Scope or Type of a Group for changing group scope and type; “Understanding Group Accounts”; MSDN: IADsContainer::MoveHere

Moving a Group to Another Domain

Problem

You want to move a group to a different domain in the same forest.

Solution

Using a graphical user interface

To migrate user, computer, group, or OU objects between domains in the same forest, use the following steps:

  1. Open the ADMT MMC snap-in (migrator.msc).

  2. Right-click on the Active Directory Migration Tool folder and select the Group Account Migration Wizard.

  3. Click Next on the welcome screen.

  4. On the Domain Selection screen, enter the DNS or NetBIOS name of the source and target domains and click Next.

  5. On the Group Select Option screen, select the option to select the group from the domain and click Next.

  6. On the Group Selection screen, add the group objects that you wish to migrate and click Next. (You cannot migrate built-in or well-known groups such as Domain Users or Domain Admins using this process.)

  7. On the Organizational Unit Selection screen, enter the name of the target OU or select Browse to open an object picker in the target domain. Click Next to continue.

  8. On the Group Options screen, select one or more of the following and click Next:

    “Update user rights”

    Copies any user rights that are assigned in the source domain to the target domain.

    “Copy group members”

    Specifies whether the user objects that belong to the group should be migrated along with the group. If you don’t select this option, the group will be created in the target domain with no members.

    “Update previously migrated objects”

    Supports migrations that take place over time by comparing the source and target groups and migrating any changes that have taken place.

    “Fix membership of group”

    Adds any migrated user accounts to groups in the target domain if the user accounts were members of the source groups in the source domain.

    “Migrate group SIDs to target domain”

    Adds the security identifiers (SIDs) of the migrated group accounts in the source domain to the SID history of the new group in the target domain.

  9. On the Naming Conflicts screen, select whether you want to migrate group objects that conflict with objects in the target domain and click Next.

  10. Click Finish to complete the migration.

Using a command-line interface

To migrate a group from the command line using the ADMT utility, use the following syntax:

> ADMT GROUP /N "<GroupName>" /IF:YES /SD:"<SourceDomainDN>"/TD:"<TargetDomainDN>" /TO:"<TargetOUName>"

Using PowerShell

To migrate a group by using PowerShell, use the following syntax:

Move-ADObject -Identity "<GroupDN>" -TargetPath "<TargetOUDN>" -TargetServer "<TargetServerFQDN>"

Discussion

The only type of group that can be moved between domains using the built-in operating system tools is universal groups; additionally, the RID Master for both the source and the target domains needs to be available in order to complete the move. If you want to move a global or domain local group to a different domain, first convert it to a universal group, move the group, and then convert it back to a global or domain local group.

When you convert a group between types, you may encounter problems because different groups have different membership restrictions. See the Introduction section of this chapter for more information on group type membership restrictions.

Another way to accomplish interdomain (intraforest or interforest) group moves is by using ADMT, which might be quite useful if you need to move a large number of groups. With ADMT, you can move and restructure groups without needing to go to all the trouble of converting the group to a universal group and then modifying the group membership. For more on the latest version of ADMT, see “Active Directory Migration Tool (ADMT) Guide: Migrating and Restructuring Active Directory Domains”.

Changing the Scope or Type of a Group

Problem

You want to change the scope or type of a group.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in (dsa.msc).

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Enter the name of the group you want to modify and click Find Now.

  5. Double-click on the group in the results pane.

  6. In the group properties dialog box, select the new scope or type, and click OK.

Using a command-line interface

The following example changes the group scope for <GroupDN> to <NewScope>, which should be l for domain local group, g for global group, or u for universal group:

> dsmod group "<GroupDN>" -scope <NewScope>

The following example changes the group type for <GroupDN>. For the -secgrp switch, specify yes to change to a security group or no to make the group a distribution group:

> dsmod group "<GroupDN>" -secgrp yes|no

To change the scope and/or type of a group using AdMod, use the following syntax:

> admod -b "<GroupDN>" groupType::<GroupType>

Just as when you created a group using AdMod, you must specify the numeric value for the group type. Refer to Creating a Group for more information.

Using PowerShell

To modify a group’s type or scope with PowerShell, use the following syntax. Use 'Security' or 'Distribution' as the group category, and 'Global', 'Universal', or 'DomainLocal' as the group scope:

Set-ADGroup "<Group Name>"-GroupCategory <GroupCategory> -GroupScope <GroupScope>

Discussion

Group scope and type are stored as a flag in the groupType attribute on group objects. To directly update groupType, you must logically OR the values associated with each type and scope, as shown in the API solution, or use the raw numeric values listed in Creating a Group when using AdMod. Note that there is no specific value for the distribution list type. If you want to create a distribution list, just do not include the ADS_GROUP_TYPE_SECURITY_ENABLED flag when setting groupType. Additional group types also are available through Authorization Manager.

Note

For a good description of the usage scenarios for each group type, see Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly).

See Also

Creating a Group; “Understanding Group Accounts”; MSDN: ADS_GROUP_TYPE_ENUM; MSDN: What Type of Group to Use

Modifying Group Attributes

Problem

You want to modify one or more attributes of an object.

Solution

Using a graphical user interface

  1. Open the Active Directory Administrative Center.

  2. In the right pane, enter the name of the group in the Global Search box, select the desired domain in the scope, and then click the search icon.

  3. In the search results pane, double-click the group to display the group properties.

  4. Scroll down to the Extensions section and then click the Attribute Editor tab.

  5. Find the attribute that you want to modify, click to highlight the attribute, and then click Edit.

  6. Enter the new value for the attribute and then click OK.

  7. Click OK in the group properties window to complete the modification.

Using a command-line interface

Create an LDIF file called modify_object.ldf with the following contents:

dn: cn=Finance Users,cn=users,dc=adatum,dc=com
changetype: modify
add: description
description: Members of the Finance Department
-

Then run the following command:

> ldifde -v -i -f modify_object.ldf

To modify a group using AdMod, you’ll use the following general syntax:

> admod-b "<GroupDN>" <attribute>:<operation>:<value>

For example, you can add a description to a group object using the following syntax:

> C:>admod -b cn="Finance Users,cn=Users,dc=adatum,dc=com"description::"Members of the Finance Department"

You can also modify group objects with the dsmod group command using the following syntax:

> dsmod group "<GroupDN>" <options>

The available options for dsmod include the following:

-samid <NewSAMName>

Updates the sAMAccountName attribute of the group object

-desc <NewDescription>

Updates the description attribute of the group object

-secgrp {yes | no}

Configures the group object as a security group (yes) or a distribution group (no)

-scope {l | g | u}

Configures the group scope as domain local (l), global (g), or universal (u)

{-addmbr | -rmmbr | -chmbr} <MemberDN1> <MemberDN2>

Adds the specified objects to the group (addmbr), removes the specified objects (rmmbr), or replaces the membership list wholesale with only the specified objects (chmbr)

Using PowerShell

You can modify a group’s properties by using the Set-ADGroup cmdlet, as shown in the following example:

Set-ADGroup -Identity "<GroupDN>" -GroupType "<GroupType>" -GroupScope "<GroupScope>" -Description "<Description>"

Discussion

Using a graphical user interface

If the parent container of the object you want to modify has a lot of objects in it, you may want to add a new connection entry for the DN of the target object. This will be easier than trying to hunt through a container full of objects. You can do this by right-clicking ADSI Edit and selecting “Connect to” under Connection Point, then selecting Distinguished Name and entering the DN of the object.

Using a command-line interface

For more on ldifde, see Exporting Objects to an LDIF File.

Using PowerShell

The Set-ADGroup cmdlet has the following parameters that allow you to modify specific attributes of a group object:

  • -ManagedBy

  • -Notes

  • -Email

  • -GroupCategory

  • -GroupScope

  • -SamAccountName

  • -Description

  • -DisplayName

  • -HomePage

Delegating Control for Managing Membership of a Group

Problem

You want to delegate the ability to manage the membership of a group.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in (dsa.msc).

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Enter the name of the group and click Find Now.

  5. Double-click on the group in the results pane.

  6. Select the Managed By tab.

  7. Click the Change button.

  8. Locate the group or user to delegate control to and click OK.

  9. Check the box beside “Manager can update membership list.”

  10. Click OK.

Using a command-line interface

> dsacls <GroupDN> /G <GroupName>@DomainName:WP;member;

In the following example, the SalesAdmin group will be given rights to modify membership of the PreSales group:

> dsacls cn=presales,ou=sales,dc=adatum,dc=com /G [email protected]:↵
WP;member;

Using PowerShell

In PowerShell, you can change the person or group who is listed as the manager of a group. However, note that the following example does not set the permissions for the manager to manage the group’s membership:

Set-ADGroup <Group Name> -ManagedBy "<GroupDN>"

You can use a PowerShell console on a computer where the Exchange Server 2007 or later management tools have been installed to grant the right to manage group membership:

Add-ADPermission -Identity <Group Name> -User <User or Group Name>↵
 -AccessRights WriteProperty -Properties "members"

Discussion

To grant a user or group the ability to manage group membership, you have to grant the write property (WP) permission on the member attribute of the target group. You can add this ACE directly using dsacls, or more indirectly with ADUC. ADUC also has a feature that allows you to simply check a box to grant the ability to modify group membership to the object represented by the managedBy attribute.

If you want to configure additional permissions, such as the ability to modify the description attribute for the group, you will need to go to the Security tab in ADUC or specify the appropriate attribute with the /G switch with dsacls. For example, this will grant the write property on the description attribute:

/G <GroupName>@DomainDNSName:WP;description;

See Also

Using the Delegation of Control Wizard for delegating control in Active Directory

Resolving a Primary Group ID

Problem

You want to find the name of a user’s primary group.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in (dsa.msc).

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Type the name of the user and click Find Now.

  5. In the Search Results window, double-click on the user.

  6. Click the Member Of tab.

  7. The Primary Group name is shown on the bottom half of the dialog box.

Using PowerShell

To find the primary group for a user with PowerShell, use the following syntax:

Get-ADUser -Identity "<UserDN>" -Properties PrimaryGroup | Select PrimaryGroup

Discussion

In the past, when trying to determine a user’s group membership you had to look at the user’s memberOf attribute, which contains a list of DNs for each group the user is a member of, as well as the user’s primary group. By default, all users are assigned Domain Users as their primary group. Therefore, by default all users in a domain are implicitly members of the Domain Users group. Unfortunately, a user’s primary group does not show up in the memberOf attribute.

Note

Services for Macintosh and POSIX-based applications are the main users of primary groups. If you don’t use either of those, you usually don’t need to worry about changing a user’s primary group.

The primary group is stored in the primaryGroupID attribute on user objects. Unfortunately, the information that’s stored in that attribute is the relative identifier (RID) of the group, not the DN or even sAMAccountName as you might expect. group objects have a primaryGroupToken attribute, which contains the same value but is a constructed attribute. Because Active Directory dynamically constructs it, you cannot utilize it in search filters. So even if you have the primaryGroupID of a user (e.g., 513), you cannot do a simple query to find out which group it is associated with. However, with PowerShell and Active Directory Users and Computers, this task is very straightforward.

Using PowerShell

The PowerShell solution uses the calculated property named PrimaryGroup, which allows the solution to be straightforward and similar to querying for typical user attributes.

See Also

MS KB 297951 (How to Use the PrimaryGroupID Attribute to Find the Primary Group for a User)

Enabling Universal Group Membership Caching

Problem

You want to enable universal group membership caching so that a global catalog server is not needed during most user logins.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, browse to the site you want to enable group caching for and click on it.

  3. In the right pane, double-click on the NTDS Site Settings object.

  4. Under Universal Group Membership Caching, check the box beside Enable Universal Group Membership Caching.

  5. If you want to force the cache refresh from a particular site, select a site or else leave the default set to <Default>.

  6. Click OK.

Using a command-line interface

You can use a combination of the dsquery site and dsget site commands to determine whether a site has group caching enabled:

> dsquery site -name <SiteName> | dsget site -dn -cachegroups -prefGCSite

You can use ldifde to enable group caching. Create a file called enable_univ_cache.ldf with the following contents, but change <SiteName> to the name of the site you want to enable and <ForestRootDN> to the distinguished name of the forest root domain:

dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: modify
replace: options
options: 32
-

Then use the following command to import the change:

> ldifde -i -f enable_univ_cache.ldf

You can also perform this change in the adatum.com domain by using AdMod with the following syntax:

> admod -b "cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,dc=adatum,dc=com" options::32

Using PowerShell

You can use the following PowerShell syntax to find out whether a site has universal group membership caching enabled:

Get-ADReplicationSite "<Site Name>" -Properties UniversalGroupCachingEnabled | FL UniversalGroupCachingEnabled

To enable universal group membership caching on a site by using PowerShell, use the following syntax:

Set-ADReplicationSite "<Site Name>" -UniversalGroupCachingEnabled $True

Discussion

When a client logs on, the domain controller that authenticates the user needs to contact a global catalog server in order to fully authenticate the client (however, if the DC that authenticates the user is itself a GC, then it does not need to contact any other servers to complete the authentication process). This is necessary because global catalogs are the only servers that store universal group information, which is needed to completely determine a user’s group memberships upon logon.

Universal groups can be created and used anywhere in a forest. Objects located anywhere in a forest can be added as members of a universal group. Since a universal group could be created in a domain other than where the user object resides, it is necessary to store universal group membership in the global catalog. That way, during logon, domain controllers can query a global catalog to determine all universal groups a user is a member of. Microsoft’s primary reason for making this a requirement during logon is that a user could be part of a universal group that has been explicitly denied access to certain resources. If universal groups aren’t evaluated, a user could gain access to resources that are supposed to be restricted.

To remove this limitation, Microsoft introduced universal group caching. Universal group caching can be enabled on a per-site basis and allows domain controllers to cache universal group information locally, thus removing the need to query the global catalog during client logon.

You can enable universal group caching manually by enabling the 10000 bit (32 in decimal) on the options attribute of the NTDS Site Settings object. See Modifying a Bit-Flag Attribute for more information on properly setting a bit flag attribute. The Sites and Services snap-in just requires you to check a box. Another setting can also be configured that relates to universal group caching. By default, domain controllers will use the site topology to determine the optimal site to use to query a global catalog server for universal group information. You can override this feature and explicitly set which site domain controllers should use by selecting the site in the Sites and Services snap-in or by setting the attribute msDS-Preferred-GC-Site on the NTDS Site Settings object to the DN of the target site.

Restoring a Deleted Group

Problem

You want to restore a group object that has been inadvertently deleted, as well as restore its members.

Note

These solutions assume that the Active Directory Recycle Bin was enabled prior to the deletion. If you have not enabled the AD Recycle Bin, you can do so from the Tasks pane in the Active Directory Administrative Center.

Solution

Using a graphical user interface (steps specific to Windows Server 2012)

  1. Launch the Active Directory Administrative Center.

  2. Select the domain and navigate to the Deleted Objects container.

  3. Locate the deleted group in the container.

  4. Right-click the group and select Restore.

Using PowerShell

To restore the group object and membership, use the following PowerShell command syntax:

Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects | Where-Object {$_.DistinguishedName -match "<GroupName>"} | Restore-ADObject

Discussion

Prior to the introduction of the Active Directory Recycle Bin, the most common way to restore a deleted object was to perform an authoritative restore by using ntdsutil. However, the Active Directory Recycle Bin and PowerShell have greatly simplified the process. While legacy restore methods are still valid and occasionally necessary, many restores can use the newer and more efficient methods.

Note that in both the GUI solution and the PowerShell solution, the group membership is restored along with the group object. In situations where you have deleted user objects and a deleted group object that contained some of the deleted user objects as members, restore the user objects first before restoring the group object. This will ensure that an accurate group membership is maintained after the group restore.

See Also

MS KB 216993 (Useful Shelf Life of a System-State Backup of Active Directory); “Rebooting Windows Server 2012-based Domain Controllers into Directory Services Restore Mode”; Chapter 16 for more on recovering and restoring Active Directory

Protecting a Group Against Accidental Deletion

Problem

You want to prevent a group object from being accidentally deleted by an administrator who selects the incorrect option in Active Directory Users and Computers.

Solution

Using a graphical user interface

  1. Open Active Directory Users and Computers. Click on View and confirm that Advanced Features is selected.

  2. Drill down to the current domain. To connect to a different domain, right-click on the top-level node and click “Change domain”; select the appropriate domain and then drill down to it.

  3. Right-click on the group that you want to modify and click Properties.

  4. Click on the Object tab.

  5. Place a checkmark next to “Protect object from accidental deletion.”

  6. Click OK.

Using a command-line interface (all versions)

dsacls "<GroupDN>" /d EVERYONE:SDDT

Using PowerShell (all versions)

Set-ADObject "<GroupDN>" -ProtectedFromAccidentalDeletion $True

If you have Exchange 2007 or later installed in your environment, you can also use the following Exchange cmdlet to modify this information:

Add-ADPermission -Identity <Group Name> -User <User or Group Name> -AccessRights Delete,DeleteTree -Deny $true

Discussion

By default, all new OUs that are created in Windows Server 2008 or later will have this protection enabled; however, no other object types are configured with this default protection. If you attempt to delete a group that is protected using this option, even when signed on as a Domain Admin or other similarly elevated account, you will receive an “Access Denied” message until you manually remove the checkbox or manually remove the deny ACE associated with it.

By using the command-line or PowerShell method, you can apply this protection to group objects in all versions of Windows Server, even though the GUI checkbox is available only in Windows Server 2008 or later.

Applying a Fine-Grained Password Policy to a Group Object

Problem

You want to apply a Fine-Grained Password Policy to a group object in a domain.

Solution

Using a graphical user interface

  1. Open Active Directory Administrative Center.

  2. In the top-left pane, click the tree view icon.

  3. Expand the System container.

  4. Scroll down and right-click Password Settings Container, expand the New menu, and then click Password Settings.

  5. Fill in the desired password settings in the top pane. Note that the fields with a red asterisk are required fields.

  6. In the Directly Applies To section, click the Add button to add a security group that will be the target of the FGPP.

  7. Click OK to create the FGPP.

Using a command-line interface

The following will add the Marketing group to the list of groups that a PSO will apply to:

psomgr -applyto cn=Marketing,cn=Users,dc=ADATUM,dc=COM -pso TestPSO -forreal

Using PowerShell

To add a group to the list of groups that a FGPP will apply to, use the following syntax:

Add-ADFineGrainedPasswordPolicySubject -Identity "<Name of FGPP>" -Subjects "<Security Group sAMAccountName>"

Discussion

Once a PasswordSettingsObject has been created, you can modify the password and account lockout settings controlled by the object, as well as the users and groups that the PSO should apply to. Since the PasswordSettingsObject is an Active Directory object class, these modifications can be made using any interface that can modify objects. When working from the command line, the psomgr tool allows you to modify one or multiple PSOs at a time, and can also create “starter” PSOs using the -quickstart command-line switch. The full syntax for psomgr.exe can be obtained by typing psomgr.exe /? at a command prompt or by visiting the joeware website.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.45.33