Académique Documents
Professionnel Documents
Culture Documents
by Jonathan Blackwell
with Steve Clines
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Active Directory® Group Management For Dummies®, Imanami Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2013 by John Wiley & Sons, Inc., Hoboken, New Jersey
Published by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the
prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, the Wiley logo, For Dummies, the Dummies Man logo, A Reference for the Rest
of Us!, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are
trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United
States and other countries, and may not be used without written permission. Active Directory is a
registered trademark of Microsoft Corporation. Imanami and the Imanami logo are trademarks of
Imanami Corporation. All other trademarks are the property of their respective owners. John Wiley
& Sons, Inc., is not associated with any product or vendor mentioned in this book.
For general information on our other products and services, or how to create a custom For Dummies
book for your business or organization, please contact our Business Development Department in the
U.S. at 877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/custompub. For
information about licensing the For Dummies brand for products or services,
contact BrandedRights&Licenses@Wiley.com.
ISBN 978-1-118-64504-8 (pbk); ISBN 978-1-118-64553-6 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Book......................................................................... 1
How This Book Is Organized..................................................... 1
Icons Used in This Book............................................................. 3
Where to Go from Here.............................................................. 3
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Publisher’s Acknowledgments
We’re proud of this book and of the people who worked on it. For details on how to
create a custom For Dummies book for your business or organization, contact info@
dummies.biz or visit www.wiley.com/go/custompub. For details on licensing the
For Dummies brand for products or services, contact BrandedRights&Licenses@
Wiley.com.
Some of the people who helped bring this book to market include the following:
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
I n any Active Directory environment, groups and their
proper management are key to providing both security and
productivity in your Windows-based IT environment. Your
organization wants to provision users into Active Directory
(AD) and keep that data accurate. As part of provisioning an
Active Directory user, IT will want the user automatically added
to the correct AD security groups and Microsoft Exchange
Server distribution lists. Membership in the correct security
groups gives users access to the appropriate group policies
and systems. Membership in the right distribution lists gives
them immediate access to information.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
2 Active Directory Group Management For Dummies
Chapter 1: Introduction
to Active Directory
In this chapter, you get the basics of Active Directory and the
components and terminology that surround it.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction 3
This icon points to some useful information that can save you
time or trouble when working with Active Directory groups.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
4 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1
Introduction to Active
Directory
In This Chapter
▶ Becoming familiar with Active Directory
▶ Understanding what Active Directory objects are
▶ Getting to know about the structural components of Active Directory
▶ Defining what Active Directory trusts are
Getting a Grip on
Active Directory
Active Directory (AD) is a directory service created by Microsoft
for use primarily in Windows environments. Its main purpose is
to provide central authentication and authorization services for
Windows-based computers. Active Directory also allows admin-
istrators to assign policies, deploy software, and apply critical
updates to an organization.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
6 Active Directory Group Management For Dummies
Understanding Active
Directory Objects
The data stored in Active Directory, such as information
about users, contacts, printers, servers, databases, groups,
computers, folders, and security policies, is organized into
objects. Objects fall into three broad categories: resources
(for example, printers), services (such as e-mail), and users
(meaning user accounts, contacts, and groups). In addition to
storing objects, AD also provides ways to organize and con-
trol access to these objects.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Introduction to Active Directory 7
it doesn’t allow for objects to be grouped together based on
common traits, such as who should be able to administer that
object versus who can simply read it. In fact, the way the IT
organization is going to administer AD (the administrative
model) is the primary driver for how the structure of AD ends
up. So here’s a look at the options you have for structuring
AD. See Figure 1-1.
Domains
Active Directory domains are the primary containers within
Active Directory. Every instance of Active Directory must have
at least one domain within it. You can think of a domain as being
an administrative boundary, which means that each domain
has its own unique set of administrators. Domains are also
hosted on their own unique set of servers (known as domain
controllers). We talk more about containers in just a bit.
Trees
Trees are a hierarchical way to group domains that you create
by adding one or more child domains to an existing parent
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
8 Active Directory Group Management For Dummies
Forests
A forest is a collection of one or more Active Directory trees,
organized as peers and connected by two-way, transitive trust
relationships. All domains in the Active Directory forest share
a common schema and configuration partitions, which form a
contiguous namespace. The first domain in the forest is called
the root domain. Forests also share a common quick-search
database known as the Global Catalog. The Global Catalog has
a copy of each object within every domain in the forest and is
optimized for quick searches.
Containers
Containers are objects that contain other objects. Every
domain comes with a default set of built-in containers that
exist in every Active Directory domain.
Organizational units
An organizational unit (OU) is similar to a container except that
OUs are created by the administrator as opposed to contain-
ers that come with a domain by default. An OU is a container
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Introduction to Active Directory 9
that is used to organize objects within a domain into logical
administrative groupings.
OUs can contain other OUs. This is known as nesting OUs. When
designing Active Directory, Microsoft recommends as few
domains as possible in AD by using nested OUs to produce
structure and improve the implementation of policies and
administration. The OU is the common level at which to apply
group policies. Group policies are AD objects themselves
called Group Policy Objects (GPOs), although policies can also
be applied to domains or sites. The OU is the level at which
administrative powers are commonly delegated, but granular
delegation can be performed on individual objects or attributes
as well.
Defining Trusts
Trusts are the last major component of Active Directory.
Trusts define relationships between domains.
Transitive trusts
Transitivity determines whether a trust can be extended out-
side of the two domains with which it was formed. You can
use a transitive trust to extend trust relationships with other
domains.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
10 Active Directory Group Management For Dummies
Shortcut trust
A shortcut trust is between a child domain in the same
domain tree or forest and is used to shorten the trust path in
a large and complex domain tree or forest structure.
Forest trust
A transitive one-way or two-way trust is established between
two root domains that belong in two separate forests. You use
a forest trust to share resources between forests. If a forest
trust is a two-way trust, then authentication requests made in
either forest can reach the other forest, as well.
Non-transitive trusts
A non-transitive trust is restricted by the two domains in the
trust relationship and does not flow to any other domains in
the forest. A non-transitive trust can be either a one-way or a
two-way trust.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
12 Active Directory Group Management For Dummies
Distribution groups
Distribution groups are designed to combine users together
so that you can send e-mails (via Microsoft Exchange Server)
collectively to a group rather than individually to each user
in the group. Distribution groups are designed to be used for
e-mail specifically and cannot be granted Windows permissions.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Active Directory Groups and Security 13
Security groups
Used with care, security groups provide an efficient way to
assign access to resources on your network. Using security
groups, you can
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
14 Active Directory Group Management For Dummies
Understanding Active
Directory Security
The Active Directory service plays several major roles in pro-
viding security. Among these roles is the efficient and effective
management of user logon authentication and user authoriza-
tion. In this section, we also take a look at other aspects of AD
security, including access tokens and access control lists.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Active Directory Groups and Security 15
User authentication
Active Directory user authentication confirms the identity of
any user trying to log on to a domain and lets users access
resources (such as data, applications, or printers) located
anywhere on the network. A key feature of AD’s user authen-
tication is its single-sign-on capability, which makes multiple
applications and services available to the user over the net-
work without the user having to provide credentials more
than once.
User authorization
Whereas user authentication is a process of identifying the
user, Active Directory user authorization is the process of
determining what that user can access as well as securing
resources from unauthorized access. After a user account has
received authentication, it can potentially access the object;
however, the type of access actually granted to the user is
determined by what rights are assigned to the user and which
access control permissions are attached to the objects the
user wishes to access.
Access tokens
Each time that a user logs on and successfully authenticates
to Active Directory, Windows creates an access token. This
token is used in the authorization process when the user
accesses a resource. The access token is a representation of
the user account and contains the following elements:
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
16 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3
Managing Active
Directory Groups
In This Chapter
▶ Using the AD group management tools that Microsoft provides
▶ Managing groups using Imanami GroupID
▶ Providing a complete group life cycle management solution
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
18 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Managing Active Directory Groups 19
Follow these steps to create a group with ADUC. Note: You
must be a member of the Account Operators group, the
Domain Admins group, or the Enterprise Admins group in
Active Directory.
Once the group is created, you can add and remove members
of the group. Members may be other AD objects such as
another group (nesting), computers, users, contacts, and so on.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
20 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Managing Active Directory Groups 21
The implication with ADAC is that you can do any AD admin-
istrative task, including group management, through the
use of PowerShell. The real advantage of PowerShell is that
you can script administrative tasks that you execute repeti-
tively, which greatly eases the work of an AD administrator.
Unfortunately, PowerShell is such a huge topic that we don’t
have the space to cover it in this small book.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
22 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Managing Active Directory Groups 23
GroupID Self-Service is a web-based portal that gives an intui-
tive front end to Active Directory. Providing this tool through
a web interface eliminates the need to distribute the tool
to the user’s computer. Through this web portal, users and
administrators can update user attributes and create distri-
bution lists and security groups based on permissions and
workflow designed by IT. GroupID Self-Service also improves
on Active Directory in that it allows for multiple owners of
groups, workflow on any attribute changes, security settings
on view/edit with field-level security, customizable branding,
and differing security settings on groups.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
24 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Managing Active Directory Groups 25
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
26 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4
Dynamic Groups
In This Chapter
▶ Finding out about dynamic group membership
▶ Using Smart Groups
▶ Managing Hierarchical groups using Dynasties
Understanding Dynamic
Group Membership
Active Directory groups are as dynamic as their members:
they need to change as users switch responsibilities, roles,
and locations. The problem is that distribution lists and secu-
rity groups are often manually maintained by the Exchange
or Active Directory administrator. Because this is a manual
process, keeping up with the number of changes to group
memberships is prone to human error and in most cases the
changes don’t get adequately documented.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
28 Active Directory Group Management For Dummies
PowerShell scripting
Scripting from within PowerShell is a powerful means to
achieve group membership control based on roles estab-
lished in AD user attributes. Expert knowledge of PowerShell
and the related AD commands is required to accomplish this
task. This process does become tedious if the number of
groups becomes substantial and the sophistication and com-
plexity of the group membership is wide. An understanding of
LDAP query language is also required to make the best use of
this form of scripting.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Dynamic Groups 29
scripts, this may be a good option for you. This type of solution
is typically used in the smallest of companies as the number of
scripts that are required become too numerous for more than a
few hundred employees. Most companies will turn to purpose-
built tools in order to offload the manual task of script writing
and management in order to achieve the quickest ROI for the
effort involved to accomplish intelligent group membership.
$groupName = $args[0]
$domainName = ([System.DirectoryServices.
ActiveDirectory.
Domain]::GetCurrentDomain()).Name
$domainName = $domainName -replace “\.”,
“,dc=”
$ou = [ADSI] “LDAP://cn=Users,dc=$domainName”
$group = $ou.Create(“group”, “cn=$groupName”)
$group.Put(“SamAccountName”, $groupName)
$group.Put(“groupType”, -2147483640)
$group.SetInfo()
$groupName = $args[0]
$username = $args[1]
$group = Get-Group $groupName
$user = get-user $username
$userdn = $user.distinguishedName
$newgroupmembers = $group.members | Where-
Object { $_.name -eq “$username” }
$groupdn = $group.distinguishedName
$fqgroup = [adsi]”LDAP://$groupdn”
$fqgroup.Member.Add($userdn)
$fqgroup.setInfo()
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
30 Active Directory Group Management For Dummies
New-DynamicDistributionGroup -Name
“California Engineering” -RecipientFilter
{(RecipientType -eq ‘UserMailbox’) -and
(Title -like ‘Director*’ -or Title -like
‘Manager*’) -and (StateOrProvince -eq
‘CA’) -and (StateOrProvince -eq ‘CA’) –and
(manager –like ‘CN=Amy Henderson,OU=Operat
ions,OU=Democorp,DC=gidemo,DC=local’) –and
(userAccountControl:1.2.840.113556.1.4.803:
-eg ‘65536’) –or (employeeType –like ‘INTERN’
–or employeeType –like ‘EMPLOYEE’)}
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Dynamic Groups 31
When using a QBDL, you have to be careful because you can
get into trouble with it. Unlike static address lists, the query-
based DL is resolved each time it is used with an actual LDAP
query against Active Directory; specifically, it requires access
to a Global Catalog server. This means that the query needs to
be efficient. Used enough, a poorly designed query for the DL
could severely impact Exchange and Active Directory perfor-
mance. You will want to use indexed attributes and avoid bit-
wise operators, the NOT operator, and medial search strings.
As an alternative to a QBDL that allows for the benefit of
endless complexity and that of enumeration of a static group,
consider instead the best practice of using a Smart Group (see
the following section, “Using Smart Groups”).
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
32 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Dynamic Groups 33
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
34 Active Directory Group Management For Dummies
Managing Hierarchical
Groups with Dynasties
Smart Groups are a great way of managing the membership
of an individual group in a dynamic fashion. But what if you
wanted to create a series of separate groups whose member-
ships are defined on some common criteria (for example,
manager, department, location, and so on) and that criteria
has some sort of hierarchy related to it? That is where dynas-
ties come in handy.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
36 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Dynamic Groups 37
Imanami’s GroupID Automate does this through the concept
of Dynasties. A Dynasty is based on the nesting or grouping of
groups dependent on the hierarchal nature of your business.
This could be a top-down look from a departmental point of
view, managerial point of view, physical location point of view,
or any other method of hierarchy that makes sense to you. It is
certainly an excellent way to resolve the accidental hijacking of
a security group or distribution list. Membership of a group is
based on rules you set forth. The nesting of one group within
another is further defined by the hierarchal grouping as defined
by business need. As your organization changes, your nested
groups and their membership dynamically change to match.
Figure 4-3: Step 1. Defining the Dynasty name, container, and type of group.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
38 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Dynamic Groups 39
Figure 4-5: Step 3. Selecting the attributes to build the hierarchy on.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
40 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 5
Create Dynamic AD
Security Groups
Create dynamic AD security groups whenever possible. Any
group membership that you can define by a query against
either Active Directory or any other data source should be a
dynamic group. This eliminates the business user’s complaint
that a group isn’t up-to-date.
Empower End-Users
Empower end-users to manage their own groups through an
Active Directory self-service tool like Imanami’s GroupID.
Seriously, who knows who should have access to the group
more than the business owner who requested it?
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
42 Active Directory Group Management For Dummies
Join AD Groups
Allow end-users to request membership in AD groups (which
is another feature of Imanami’s GroupID tool). Note: This isn’t
easy to do on your own without GroupID because you have to
have the correct workflows in place or things can get out of
control.
Include Restrictions
Restrict nested groups when offering self-service creation of
groups. Want to get your permissions into a big mess? Allow
nested groups without some sort of IT oversight.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 5: Ten Group Management Best Practices 43
Ensure Accuracy
Ensure accuracy of your Active Directory Users and Contact
attributes by synchronizing important information from a
source you trust, such as an HR database.
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.
44 Active Directory Group Management For Dummies
These materials are the copyright of John Wiley & Sons, Inc.
and any dissemination, distribution, or unauthorized use is strictly prohibited.