Creating a group in Active Directory is easy. It is not so easy
to make sure that the group is used correctly over time. You can
facilitate the correct management and use of a group by documenting
its purpose to help administrators understand how and when to use the
group. The following best practices which, although unlikely to be
addressed by the certification exam, will prove immensely useful to
your enterprise group administration:
-
Establish and adhere to a strict
naming convention . In the context of ongoing group administration,
establishing and following group naming standards increases
administrative productivity. Using prefixes to indicate the
purpose of a group, and using a consistent delimiter between the
prefix and the descriptive part of the group names, can help
locate the correct group for a particular purpose. For example,
the prefix APP can be used to designate groups that are used to
manage applications, and the prefix ACL can be used for groups
that are assigned permissions on ACLs. With such prefixes, it
becomes easier to locate and interpret the purpose of groups named
APP_Accounting versus ACL_Accounting_Read. The former is used to
manage the deployment of the accounting software, and the latter
provides read access to the accounting folder. Prefixes also help
group the names of groups in the user interface. Figure 1 shows an
example. When attempting to locate a group to use when assigning
permissions to a folder, you can type the prefix ACL_ in the
Select dialog box and click OK. A Multiple Names Found dialog box
appears, showing only the ACL_ groups in the
directory, thereby ensuring that permissions will be assigned to a
group that is designed to manage resource access.
-
Summarize a group’s purpose with its
description attribute Use the
description attribute of a group to summarize
the group’s purpose. Because the Description column is enabled by
default in the details pane of the Active Directory Users And
Computers snap-in, the group’s purpose can be highly visible to
administrators.
-
Detail a group’s purpose in its
Notes When you open a group’s Properties dialog box, the
Notes text box is visible at the bottom of the General tab. This
text box can be used to document the group’s purpose. For example,
you can list the folders to which a group has been given
permission, as shown in Figure 2.
2. Protecting Groups from Accidental Deletion
Protect yourself from the potentially devastating results of
deleting a group by protecting each group you create
from deletion. Windows Server 2008 R2 makes it easy to protect any
object from accidental deletion.
To protect an object, follow these steps:
-
In the Active Directory Users And Computers snap-in, click
the View menu and make sure that Advanced Features is
selected.
-
Open the Properties dialog box for a group.
-
On the Object tab, select the Protect Object From Accidental
Deletion check box.
-
Click OK.
This is one of the few places in Windows in which you must click
OK instead of Apply. Clicking Apply does not modify the ACL based on
your selection.
The Protect Object From Accidental Deletion option applies an
access control entry (ACE) to the ACL of the object that explicitly
denies the Everyone group both the Delete permission and the Delete
Subtree permission. If you really do want to delete the group, you can
return to the Object tab of the Properties dialog box and clear the
Protect Object From Accidental Deletion check box.
Deleting a group has a significant impact on administrators and,
potentially, on security. Consider a group used to manage access to
resources. If the group is deleted, access to that resource is changed. Either
users who should have access to the resource are suddenly prevented
access, creating a denial-of-service scenario, or inappropriate access
to the resource becomes possible if you had used the group to deny
access to a resource with a Deny permission.
Additionally, if you re-create the group, the new group object
will have a new security identifier (SID), which will not match the
SIDs on ACLs of resources. So you must instead perform object recovery
to reanimate the deleted group before the tombstone interval is reached. When a group has been
deleted for the tombstone interval—180 days by default—the group and
its SID are permanently deleted from Active Directory.
When you reanimate a tombstoned object, you must re-create most
of its attributes, including, importantly, the
member attribute of group objects. This means you
must rebuild the group membership after restoring the deleted object.
Alternately, you can perform an authoritative restore or turn to your
Active Directory snapshots to recover both the group and its
membership.
Finally, Windows Server 2008 R2 introduces the Active Directory Recycle Bin, which lets you recover a
deleted object in its entirety, reducing or eliminating the impact of
accidentally deleting an object.
Recovering a deleted group is a skill you should hope to use only in
worst-case scenarios, not in day-to-day operations of a production
environment. Protect yourself from the potentially devastating results
of group object deletion by protecting each group you create.
