Maintaining groups and permissions
Maintaining groups and permissions
Groups
Groups are a type of account and have security identifiers (SID). Groups don’t authenticate but users and computers inherit a group’s SID by belonging to the group.
There are also four types of groups: security and distribution are what systems administrators usually manage. The other two types, application basic groups and LDAP query groups, are used by Authorization Manager-enabled applications. This documentation is for maintaining security groups.
A security group can be used when defining permissions on network resources such as shared printers and folders.
The University of Louisville uses groups for multiple purposes:
- To assign administrative rights to
o Tier Is o HelpDesk personnel
o Secure Access Management Team
o System Administrators
- To grant access to file folders on the I: drive
o Some ‘privs’ groups have been renamed during our migration from Novell (AD won’t allow duplicates) for example: privs-techsup (context added last)
o Some privileges to shared drives were granted at the container level in Novell, but that wasn’t possible in Active Directory. Therefore groups have been created to reflect the users’ contexts.
Best Practices
Whenever possible, assign permissions to groups rather than users.
- Use groups to delegate authority over the directory. If one set of users needs Read permissions, and another set of users needs Change permissions, then create one group for each set of users and assign the permission to the group.
Always test new changes.
- Verify that people in the assigned group can access the files, but ensure that other people who are not in the group, can’t access the files.
If possible, avoid changing the default permissions on Active Directory objects
- Changing default permissions could cause unexpected access problems or reduce security.
Avoid granting Full Control permissions over an object or organizational unit
- Granting someone Full Control allows them to take ownership of an object and modify the permissions on it. If someone has Full Control on a container, then they can Take Ownership of, and have Full Control over, all objects in that container. As far as possible, instead of allowing Full Control, give only the permissions needed by the user.
Minimize the number of access control entries that apply to child objects
- When using the Apply Onto option to control inheritance, be aware that not only will the specified objects inherit that access control entry (ACE) but all child objects will also receive a copy of that ACE. If there are enough objects that will get copies of this ACE, then that increased amount of data can cause performance problems on your network.
When possible, assign the same set of permissions to multiple objects
- Access control lists (ACLs) in the Windows Server 2003 family feature single-instancing: If multiple objects have identical access control lists (ACLs), then Active Directory will only store one instance of the ACL. For more information on how inheritance works for Active Directory objects, see Changing inherited permissions.
When possible, assign access rights on a broad level rather than assigning individual user rights
- Minimizing the number of access control entries will improve performance.
- Allow "Read All Properties" or "Write All Properties" rather than individual properties. • Allow Read or Write access to property sets rather than individual properties. A property set is a collection of attributes. For example, the Personal Information property set includes the attribute's address, personal title, and so on. By setting access on the property set, you have automatically set access on all the attributes contained in that property set.
- Allow "Create All Child Objects" or "Delete All Child Objects," rather than specifying individual child objects. • Allow "All Extended Rights" rather than allowing the individual extended rights.
- Allow "All Validated Writes" rather than allowing the individual validated rights.
Notes
- Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry.
- Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
Before trying any of the more complicated capabilities, try to use the simple permissions for the it-tier1 group shown below to achieve your needs:
Working with Groups
To work with groups, you
- Must have the Active Directory Users and Computers (ADUC) on your workstation
- Must be a Tier I with rights to your organizational unit. See the list on the web at https://louisville.edu/it/help/twotier/tierone.html
Viewing Groups and/or Objects in your Organizational Unit
- Open “Active Directory Users and Computers” console (ADUC).
- Navigate to your organizational unit
- Groups are identified with a two-headed icon
- Double click on one to view its attributes
Create a Group
- Open “Active Directory Users and Computers” console (ADUC).
- Navigate to your organizational unit
- Click on the group icon or go to “Action / New / Group”
- Type in the Group Name (The ‘Group name (pre-Windows 2000):” will auto fill. We recommend that you choose a meaningful name. Click “OK”
- The new group will now appear in your organizational unit.
- Double click on the new group to open it up
o Complete the information on the “General” tab
- Description
- Leave “E-mail” blank
- No changes to “Group scope” or “Group type”
- Add enough information to “Notes” to help you and others. We recommend that you record who created the group and why with a creation date.
- Click “OK”.
Add Members to a Group
o Begin adding the members of the group by selecting the “Members” tab and clicking on “Add
- A new panel appears.
- Object Types is automatically set to Users and Groups, so you do not need to change it. The location is fine.
- Enter the userID or name. Click “Check Names”
- If multiple names are found, highlight the name(s) you want, and click OK
- The person will be added.
- Return to the “Members” tab and repeat until everyone has been added.
- Click “Apply” and then click on “OK”
Remove Members from a Group
- Open “Active Directory Users and Computers” console (ADUC).
- Navigate to your organizational unit
- Double click on the group you wish to maintain
- Select the “Members” tab
- Highlight the member you wish to remove and click “Remove”
You will get a warning:
Double check your work and then click “Yes”.
Click “OK” to end.
When changes take effect
Users will have to log out and log back into their workstation before any changes will take effect.
Default Groups
There are some groups that Tier I staff will not be able to modify although you may see them. These include:
- SharePoint groups:
o Named AD_UL-context
o Maintained automatically based on context
o Located in the groups organizational unit
- Administrative groups may appear to have access to your department’s folders. This is so Information Technology can support the file shares. Some of these are:
o Domain Admins
o IT_FileShare_Support
o IT_SAM
- Tier I administrative groups are also listed, but can only be maintained by Information Technology. This will be done during the Tier I on-boarding processes when a Tier I is granted access.
I: drive
Restricted Folders
Some units have requested that some of their folders have restricted or limited access, even from their Tier I support staff. When these folders were identified, they were removed from the existing file structure for the department and placed into a different folder. A new group was identified and can only be maintained by Information Technology.
Adding Permissions
- Navigate through your Windows Explorer to the folder that needs permissions altered.
- Right click on the folder and choose “Properties”
- Select the “Security” tab
- Click the “Add” button to add a new group with permissions.
- Type in the name or partial name of the group to be added. Then click “Check Names”.
- If multiple choices are displayed, highlight the correct one and click “OK”
- Click “OK” if the group is listed correctly.
Now you can set the permissions.
- Check the appropriate boxes and click “Apply”.