🗂️

Active Directory Groups Overview

Jun 20, 2025

Overview

This lecture covers essential Active Directory (AD) groups, their roles, and best practices for managing administrative permissions and delegation in an AD environment.

Default AD Groups and Their Roles

  • The "Domain Admins" group can make any changes to the AD domain and all bound computers.
  • Only the default "administrator" is a member of Domain Admins in a new domain.
  • "Enterprise Admins" can make changes that affect multiple domains in a forest and are only needed for rare, major tasks.
  • The "Domain Users" group includes every user account in the domain; grant resource access to this group for broad permissions.
  • "Domain Computers" contains all non-controller computers joined to the domain.
  • "Domain Controllers" includes all domain controllers in the domain.

Best Practices for Administrative Accounts

  • Domain admin accounts have extensive power and should not be used as daily user accounts.
  • Normal user accounts should have only the permissions needed for regular access.
  • Use domain admin accounts only for deliberate AD changes to avoid accidental organization-wide issues.

Delegation of Administrative Tasks

  • Delegation allows users to perform specific administrative tasks without broad domain-wide permissions.
  • Access Control Lists (ACLs) can be set on AD objects to grant required permissions, similar to NTFS DACLs in file systems.

Key Terms & Definitions

  • Active Directory (AD) — Microsoft's directory service for managing users, computers, and permissions in a networked environment.
  • Domain Admins — Group with full control over the domain and its computers.
  • Enterprise Admins — Group with authority to make changes across multiple domains in an AD forest.
  • Domain Users — Group containing all user accounts in a domain.
  • Domain Computers — Group containing all joined computers, except domain controllers.
  • Domain Controllers — Group for domain controller servers.
  • Delegation — Assigning limited administrative permissions to user accounts in AD.
  • ACL (Access Control List) — List defining permissions for objects in AD or file systems.

Action Items / Next Steps

  • Review the membership and roles of AD default groups in your organization.
  • Avoid using domain admin accounts for daily operations.
  • Explore delegation settings and practice applying ACLs to AD objects.

View note sourcehttps://d3c33hcgiwev3.cloudfront.net/v0m1iISDRZijZB01PRNPPA.processed/full/720p/index.mp4?Expires=1750550400&Signature=d12ps7ev9PSmHQqPW7WYv-OaG3Olxg-q-WpS-BwwHxr507xdbIZXgPdKa39gJ4wltRogETiHKY3LfhBLbcgixpalvo9WD6EUxDVEHfoKFxcJZ7YVF1iwkGAEnKjpnQyOMsK4f~k27EuSLXqCnOnxiaV1yYwjLZeqXZG0JPQcsGI_&Key-Pair-Id=APKAJLTNE6QMUY6HBC5A