Security Group Management

This document describes the recommended best practices for the use of security groups in the uwsads.wisconsin.edu domain.

Overview

Active Directory security groups are an integral component of role-based access control, but can quickly become ineffective, or even troublesome, if best-practices are not followed. Proper use of group scope is very important when working with users and groups from external forests. In brief, user objects in trusted forests are added to global security groups, which exist in the same Active Directory domain. These global security groups are then added to a domain local group, which exists in the trusting domain that contains the target resource or service.

Group Scope

Domain Local Security Groups
Domain Local security groups should be used to facilitate access to a resource or service. These groups may be added to the local "Administrators" group on a server or workstation, added to an ACL, or selected within applications to facilitate authorization. Domain Local security groups may contain Global or Universal security groups from any trusted domain. User objects should never be added as direct members of a domain local security group.

Global Security Groups
Global security groups should contain user objects from the same domain as the global security group. These groups may be added to a domain local security group in any trusting domain. Global security groups should not be added directly to an ACL, but should instead be added to a domain local security group created in the domain which hosts the target resource or service.


Group Name

UW System Active Directory Services does not currently have an enforced naming convention. However, an effective naming convention is vital to the success of your group management strategy. Some recommendations include:
  • Prepend the group name with the name or acronym of the service for which it is used.
  • Ensure that group scope is represented within the group name.
  • Name domain local groups with the entitlement granted by membership.
For example:
SERVICE-DS-SQL-FULL_CONTROL for a domain local security group.
Service-GS-Database Admins for a global security group.