Microsoft Azure AZ-800 — Section 5: Create and manage AD DS security principals Part 2

Microsoft Azure AZ-800 — Section 5: Create and manage AD DS security principals Part 2

39. Visualizing groups in AD DS

Now, when it comes to managing your users, as far as security and rights are concerned, one of the most important fundamentals that we need to understand is the concept of groups. Groups is not a new concept, as it again has been in the Microsoft environment since the early days of centralizing. Or there their networking services and AIDS, which came out in the year 2000, has pretty much always had groups and they’ve had different types of groups as well as what are called different scopes of groups. And so, I want to give you an understanding of what all that exactly entails. All right.

So just to begin here, what we’ll talk about is just the fact that when you look at groups, when you create groups, you have what is called a group type and you have what is called a group scope.

OK, so you have group type and you have what’s called group scope and all the group types. You have what is known as a distribution group and you have what is known as a security group.

OK. And so the thing you want to pretty much remember about a distribution group, a distribution group, is purely for e-mail purposes. It is essentially just an email list. And if you’ve got Microsoft Exchange, if you create a group and with Microsoft Exchange, it’ll be a distribution group. Essentially, what will end up happening is if the distribution group gets an email address.

So, for example, if I had a group called sales, you would have a name like sales at exam time, practice .com. And if somebody emailed that group, the email would go to everybody in the group. The problem of distribution groups is you can’t give them any permissions to anything. They can purely just be used for email, so you’re not really going to use distribution groups a whole lot. Probably most people don’t because people use security groups with security groups. You can use these for permissions and email. A lot of people don’t realize that, but security groups can have can basically do both.

OK. They can be given rights to both. All right, so basically, you get you can associate permissions with them as well as you can associate an email account with them. All right.

So as far as group type goes, that’s pretty straightforward. Things are can get a little crazy when you start trying to understand, though, something called group scope.

So let’s talk about group scope.

Now there’s three groups scopes. We have something called a domain local group. We’ll start with Globeville. Actually, we start with global. Yet then you have something called a domain local group, and then you have something called a universal group.

OK. And so let’s kind of spend a little bit of time on Global Group’s domain local groups, and so the rule of thumb here is that you usually you’re going to want to group your users together inside of a domain using what is called a global grid. Global groups are used for grouping your users together.

So and you’re probably grouped them together. Probably the one of the most common ways you’re going to group them is based on departments, though you can base it on other things. You can base it on management level. You could base it on a security clearance. I mean, you can you can base it on a lot of things. But but department, I would say, is probably one of the most common ways of doing it.

So. Just to kind of visualize this a little bit, we got a global group here. All right. And so, I might have a global group called. I’ll call it maybe New York sales, because that’s another thing people will do is if they’ve got like a sales department in their different offices, maybe you’ve got a sales department that’s located in New York, you got one in Dallas, you’ve got one in Birmingham, you got them in the different sites. You might name the group based on the location of where that group is.

OK. And so then I might have again, I might have Dallas sales. All right. And then I might have. Since a berm sales, and that’s going to be short for Birmingham, just so, I don’t want to take up a lot of space with that.

So then you might have three global groups with your different users in each of those containers. All right.

So, for example, let’s just create the symbol of user. All right. My usual little smiley face person here with the goofy looking smile. All right. And what we’re also going to do is to kind of indicate that there are multiple users who will do this right here.

OK. And part of the logic here.

So you’re going to put your you’re going to put your users in those, you’re going to put your user objects inside those containers to group them together for permissions. All right. This not to be confused with oh use because oh, users are going to be used to simply visually separate things. And we know that objects can only be inside of a single Oyi, whereas with groups users can actually be in multiple groups at a time. The other thing is different between an Oh you and a group is if you put users in an 0U and organizational unit, you delete your view. The users are gone because it’s a real container. Groups are not really a container that you are really linking things to a group. You could put users in a group, you can delete the group, and it does not delete the users that are inside the group. That’s the thing to remember.


So this the common way that that people do it. They’ll put their they’ll create global groups, they’ll put their users in global groups.

Now the other thing about global groups is that global groups, they can be they can only contain users that are from the domain where they’re created. But they can they can be given rights to other domains, for example. Here we’ve got a little triangle symbol that’s going to represent a domain. And then from here, maybe you’ve got like a child domain or something like that.

OK. We’ll just call this domain a domain B just to give it something quick, and if I want, I can take this global group, for example, this global group could be applied here in the domain A.. And because of the stress relationship, believe it or not, I could. Not only could I give rights out to this global group in domain, but Global Group can be given rights out to stuff over in Domain B as well.

OK. Global groups The little saying I would always like to tell students is that global groups can travel the globe. They, though they can only contain user accounts from the domain where they are created. They can be given rights to other domains as well.

OK, now I also want to let you in on another little secret that Microsoft likes people to be aware of. And that is, you want to minimize the amount of objects that are given permissions based on an access control list.

So here’s what I mean by that. Servers like this guy right here have something called an ACL and access control list. Access Control List are Permissions List, where you’re going to give permissions out to some kind of a resource. And so there is something that can sometimes become a little bit of a of a headache as far as Active Directory goes in. And that’s known as what are called siddall hook ups.

So what is a set of SSID is an identifier that every object gets an active directory. It’s a number that every object gets inside of Active Directory and identifies each each object user accounts groups. Anything that can be given permission to something gets to sit in with the domain. It’s there’s a thing called a relative idea, but I’m not getting into all that right now. Ultimately, though, everything gets a set number.

Now these are access control list. They have permissions that are given to this to these objects based on their SSID. And the more objects you have on any scale, the more what are known as side lookups, a site that has to happen. That means that when somebody goes to a server and you’re dealing with permissions, it’s got to do what’s called a side. Look up to find out what permissions are supposed to be given to a certain user, so, we want to minimize the entries that are on an access control list.

OK, so one of the things that Microsoft recommends is that you consider how many entries are located on an access control list.


So, for example, if I have three different global groups, I could assign the permissions to these three different groups directly. And then I’ve got three entries on the access control list, which isn’t really a big deal.

OK, but Microsoft will tell you that you can actually do this a better way. You can. You can minimize how many entries are on that access control list by doing something else. You can create a what’s called a local group domain local group. Let’s go right here and we’re going to put DL Domain local groups and then what you’re going to do. What I can do is give permissions out to this domain local group. All right.

So, for example, I could give permissions will say the permissions that I’m going to give is will give the permissions, modify, so modify. And so now if all of these, these New York, Dallas and Birmingham all need modify permissions, I can now link the those global groups to that domain local group. And now all three of those have been given permission. Here’s the other interesting thing. If if you needed separate permissions, I could create another domain local group. All right, in this domain, local group. Instead of giving it modify, you could give it, let’s say, read and execute permissions, read and execute, which means they can they can just read data, they can’t change any data. And so, instead of modifying, you’re going to give, read and execute permission this time.

So, it’s a little less powerful. But maybe we want New York to have modify. We want Dallas to have modify, but we just want Birmingham to have our Birmingham cells to have read and execute. All right. And of course, we’re kind of look into this on a small scale. You could imagine if you had like 20 or 30 groups that needed different rights to whatever this resource was that’s on the server. You would you could.

Now that you’ve got these pseudo domain local groups, you’ve narrowed it down just to two groups that are on that access control list. All right. It’s not your domain controllers. And with between you to make choices in your servers, you’re not doing as many should look up only looking up to SIDS, which is the two domain local groups. And you could name those those groups whatever you wanted you could name, you could literally name it, you know, modify permissions or modify on whatever the resource is. If the resource was like a sales database, I could call it modify -DB and then read -DB if you could name it based on permissions.

So Microsoft names this strategy, they’ll actually call it the A G DL P strategy.

OK. DL P strategy. All right, which is accounts going to global groups. Global groups go into domain local groups and domain local groups get permissions to resources.

OK. AG DLP. All right. Very common strategy. And if you’re dealing with resources in a in a single domain or maybe two domains, that’s fine and dandy. And this the common strategy that’s used now. I will tell you, if you start getting, you start working on a larger scale, that’s when the third group scope comes into play, which is universal groups. And so when you think about universal groups, you generally want to look at this from the perspective of multiple domains.

So let’s go over here and let’s let’s look at something on a larger scale.

So here we’ve got one domain and we’re just going to copy this a few times over. We’re just going to make a, you know, a bigger, a bigger forest environment here. All right.

So, we’ll just draw some little trust relationships that connect everything together like so. All right. And then we’re just going to label everything. Real quick.

So, we’ll just call this domain A. This will be the. And see. D and E! OK. And so, Imagine if you had to kind of look at things on a on a larger scale from the perspective of you’ve got these different groups of, let’s say, salespeople will just stick with the sales department for now. And you’ve already broken your New York cells up, Dallas cells, Birmingham sales. But what if you had salespeople in every domain? So, let’s say that you had. A global group. For every domain, you have a sales a will say, sells a you have a sales B. All right. Sales cease. We’re going to look at this on a large scale now. That’s the thing I need you to kind of get into your head.

So Cell C sells D. All right. And then you’ve got sales e all right. And you’ve got a global group for each one of these and each correct domain, whatever domain it’s associated with.

So let’s put a g for four global, right? So there’s there’s one of these in every single domain that has just the salespeople for that particular domain in it.

OK, so, Imagine you’ve got we’ll just kind of map it. There it is in each consecutive domain. And then I’m kind of representing it on the right side of the screen as well for some visual purposes here. All right. And then, you know, let’s say that you have a server, right? You’ve got a server. And the server has some kind of a resource on it with an access control list, this going to be represent our server.

OK. You’ve got one in, we’ll say, see, and you’ve got one in B and you’ve got one in an E.

Now these are servers that every sales person in the entire company needs access to. Every sales person in the entire company needs access to these to these servers.


OK, so you know, you could do the same thing we talked about a moment ago. You could create a domain local group for each individual server that has the rights that that’s required.

OK. Modify or read or whatever it is.

So you can still follow the DLP if you want. All right. All right. Keep in mind that domain local groups. Cannot travel like global groups, can domain local groups. I like to always use the analogy there, like cemented to the ground of a domain. Global groups can travel, they can be connected to other things in other domains, but domain local groups cannot travel. Domain local groups can contain links for objects in other domains. They themselves cannot travel.

So what I could do if I wanted is, you know, I could. I could put each global group for sales A380 in these domain local groups and grant them permission. But here’s what a universal group this where universal groups really shine.

OK? You can create a universal group. All right. A single universal group, but a you in there to indicate that you can link each of these global groups inside the Universal Group and the benefit is you now have a single group that represents all the salespeople in the entire company. This, a universal group, will replicate in every domain.

So what happens is you will have a copy of this group, a replica copy in every domain in your forest. And if you make changes to it, it replicates to every domain you for.

So every domain is going to have a copy of this universal group as soon as it’s created. It shows up in every domain. And then from there, what you’re basically going to do is like what I’m showing you over here, you’re going to link each global group into each universal group, into the Universal Group. The admins would do this. Whatever admins like Domain Admin would do it for domain, a domain be admin would do it for domain, be so on and so forth.

Now we have one group that represents every salesperson, the entire company. And so from there, I could just link the Universal Group to the domain local groups, and I’ve now granted every salesperson in the entire company. I have granted them access to that. The resources that are that are in these servers.

OK. And given them full access. All right now, universal groups are not something that everybody in the world is going to use. But there are some benefits to them. Keep in mind that when you put objects in your risk groups, it does generate some more application traffic.

So, if bandwidth is a problem, it is. It is something to think about. But ultimately, the purpose of the Universal Group is to allow you to centralize a bunch of global groups that share a common need.

OK. You’re centralizing a bunch of these groups into that container that are going to share a common need. All right. All right. That should now give you an understanding of group types and group scopes. And now you’re ready to jump in and start creating groups.

40. Create and manage groups in multi domain forests scenarios

Let’s take a look now at the process of creating and managing groups in Active Directory domain services, So, we’re going to start out here on our NYC CDK1. I’m going to click start and going to go to server manager. Then we’re going to go to ols in the Active Directory users and computers.

OK, so once that loads up, will then be able to go in and inside of our different organizational units. We can create our groups if we want, or we could create groups under the users folder and all that stuff as well.

Now, before I jump too deep into creating groups, I would also like to point out some of the defaults that we’ve got in Active Directory.

So you’re going to notice that we have, again, a folder called users and we’ve got some default groups that are already here. And if you go buy it here and expand out description, you can look at the description of each one of these groups and I encourage you to do that. Take a moment and just kind of read through the description of each one of these different groups.

OK. Ultimately, some of the ones that I want to point out to you, we have a group called Enterprise Admins.

Now an enterprise admin is the most powerful group in Active Directory. If you’re part of the Enterprise Admins Group, you can pretty much do anything you want in the entire forest.

So not just your domain, but you have admin rights over all the domains that are part of the same forest.

OK. And so that’s that’s a very, very powerful group, the most powerful group in Active Directory.

Now, another thing I want to point out is we have a group called Domain Admins. The Domain End Group is going to give somebody rights. If you put somebody in that group, they’re going to have rights just over this domain.


So, if you’re trying to make an IP person, maybe an admin just over this one domain, that’s the way you’re going to go about doing it. All right. You’ve also got some other admin groups, for example, DNS admin. This going to give people rights over just DNS.

OK. You’ve got enterprise key admins. It’s going to involve getting access to some, some key objects in Active Directory forest objects and act direct. You’ll notice this a universal group. All right. Whereas most of these other groups are global groups, although I will say there’s another universal group. It’s called Schemadmins now. The Schemadmins Group gives somebody the ability to make changes to the schema of Active Directory, OK, which of course, is one of the partitions that replicates calls across the forest. I will point out that if you go into the scheme admins group, you double click on and click members. You can see that only the built in administrator is a scheme admin, so that’s something that’s very important. Even if you go in and you make somebody a enterprise admin by going in here and going to members and adding somebody to enterprise admin that does not give them the ability to be scheme admin. Although I will say that if you put somebody in the Enterprise Admins Group, they also have the rights to grant themselves schemadmin privileges as well.

So again, the enterprise admin group is still the most powerful group in the force, but become to be able to make changes to the schema. You have to be a member of that group.


So, it’s kind of important. All right. But you’ve also got a folder over here called built in. All right.

So built in the built in folder is where your domain, local groups are.

OK. That are local to each server. All right. And so this where generally these domain local groups, this not where domain groups have to go. You can put them anywhere you want. This the default location and you can go through and you can read what some of these permissions are like. Backup operators can backup and restore data, for example, you have administrators that are going to have admin rights just over. If you put somebody in that, they’re just going to have admin rights within the server domain server that you do this on. All right.

So these are local to your domain and local to the server where these are created.

OK. But again, you can create these anywhere you want. All right.

So let’s go ahead and go through the process of doing some of this. I’m going to go right here to I’ve got a I’ve got the cells of you. I’m going to create the group under the user’s you here. We’re just going to right click. We’re going to say new, we’re going to create a group.

So here are your different either scope or type. You’re going to do security. That’s going to be your type in scope will be global. All right. And I’m just going to I’m actually going to do this a little different now. Have a bunch of domains to work with here.

So, I’m going to create different cells groups.

So, in you may know that a lot of businesses, they have what’s called an inside sales. They have what’s called an outside sales. They’ve also got what’s called sales support. And there’s so, they’re in some cases you’ve got sub departments of the sales department.

So, I’m going to create three different sales groups. I’m going to call this inside sales and it’s going to be a global group. All right, I’m going to create another one. Hold outside sales.

OK, and then we’re going to create one called sales support. All right. Sales support. And so, you know, you had a very large sales department, you would probably have all three of these. And so from there very easily, I just created the three different sales groups.

Now if I go into my file explorer and my server here, we’re going to create. I’m just going to create a folder called sales database. Maybe, this where the user is going to get access to their sales database. All right. We’re going to right click that folder. We’re going to go to properties. We’re going to click on the Security Tab and then from there we can grant permissions.

So, I could edit this and then I can click Add. And we’re going to add for one and add a specific group like, we’ll say, inside sales at that point. We could then give direct access if we wanted, but that’s where we get into that problem. You start adding a lot of groups. You start adding entries to this, which involves security identifiers, so, IDs.

So, we don’t want to do that. We don’t want to add lots of entries to that.

So another option would be to just create a domain local group that’s going to be given privileges to this.

OK, now in this case, on a domain, or I might create a domain local group. Let’s go here. Group Domain Local Group will call it. Modify the sales, Debbie. All right. And then what we’ll do is we could link our different groups into that. All right.

So first, I tell you what, let’s put Lee Jones into these insider sales are outside sales group. Let’s do that.

So, we’re double click on Lee Jones. We’re going to go to member of and then we’re going to add outside sales. There it is.

So Lee Jones, that’s how you put a user into a group.

Now you put a user into group by going to the user like I did and clicking member of another option would have been to go to the group and then click members Tab. And that’s how you can. You can add it that way as well.

So a couple of ways you can do that.

So now what I want to do is I want to add the outside sales into the modify sales DB group.

So, I’m going to double click on that. I’m going to go to members and I’m going to click Add. I’m going to add outside sales. All right. And there you go.

Now, let’s go ahead and add the other two groups as well.

So, I’m going to go click Add. And we’ll do inside sales as well, and we’ll do sell support. Just like that.

So, we’ve added all three groups now what we’ll do is we’ll go to File Explorer, right click the sales DB folder, go to security, click Edit Add and then we can add the Modify group check names. There it is, and we would give modify.

So now I’ve only added one extra entry to the ACL instead of three. And again, you kind of have to think on a large scale. If you were dealing with a large scale, you’re dealing with 20 30 groups, whatever, you could condense that down to a single group.

Now again, we also, If we’re dealing with lots of forest or sorry, lots of domains in the forest, then we could using Universal Group so, I could create a universal group by right. Clicking is a new group and we’ll call this. We’ll call it all company sales.

So this the entire company will make it universal. And at that point, we could add. The members would add the three groups inside sales, outside sales, sales support and then, of course, feed a bunch of other domains would add the other domains as well. Right? And then at that point. If every, you know, employee in the entire domain needed access to. This right here, the sales database, then I could add the Universal Group to it.

So, instead of adding those three like that, I could take those out. And again, you have to think on a large scale here, this would be on a larger scale.

So, we’ll say all company sales. And there you go.

So still, I’ve only got one entry on that ACL that access control list, and I’m not really getting into permissions here a whole lot. This not my lack of permissions lecture, but I will say that you’d also, If you want to make if this folder is going to be available across the network, you would also need to enable sharing and you got permissions on sharing as well. Again, not turning this into a permissions lecture. It’s not really where I’m going with this, but I can go here and I can do the same thing. Move everyone, and except in sharing permissions, we call it change instead of modify, but modify and change of the same thing, essentially.

So click OK, wed. Click OK. Click OK. And at that point, these users would have modify access over the cell’s database. All right. One of the thing I’d like to mention one last thing I’d like to mention is there are what are called special groups. And if you go to an access control list, in fact, you have to go to an access control list to really see these groups. You won’t see these groups over here in Active Directory users and peers.

So let’s right click the sales DB. Let’s go to properties, let’s click security and then edit and then what we’re going to do, we’re going to click, add and then advanced and find now. And you will see that there are some groups in this list that don’t show up anywhere in Active Directory over inactive director user computers.

OK, for example, you have a group called Authenticated Users. Authenticated user represents people, all users that are authenticated in the domain and you don’t put people in the group. You are just part of the group. If you’re an authenticated user, if you’re anonymous user trying to access something, you’re not part of that group. Another good example of this we have a group called the. Interactive Group, the interactive group involves people who are logged on locally to this machine.

So, if you’re trying to grant people access to give them access that are logged on locally, just people that are logged on locally to a machine, to this machine, you would do the interactive group if you’re trying to grant access to everybody across a network. There’s a group called Network.

So, if I said deny the network group permission but allow the interactive group permission, then you’re allowing people who are logging on locally, access something and denying people across the network from accessing something. If you do the opposite where you allow the network group been denied interactive, you’re basically saying I’m going to I’m going to allow people that connect across the network to gain access to something but deny somebody the ability if they’re logging locally.

OK, you’ve also got a group. Called everyone, everyone is everyone, whether you’re authenticated, whether you’re anonymous, so, If you grant access to everyone, you can basically give even anonymous people access to stuff. You don’t usually want to do that, but you could. The authenticated user group is the generally accepted one. That’s people who have actually authenticated in the domain to Kerberos and all that, but those are called Bill. Those are known as of special groups, and you don’t you don’t really modify access to that. You’re just part of the group, depending on the way you go about accessing something.

OK. All right. Well, hopefully that gives you guys now a good understanding of groups. You obviously can create groups through the Active Directory Administrative Center as well. I encourage you if you want to try that out, you can try that out also and play around a little bit with groups and get some good experience with it.