How to manage permissions with Active Directory (the right way)

Back to Blog
25May2017

How to manage permissions with Active Directory (the right way)

How do most people use Active Directory groups to manage permissions?  You probably already know the answer: Global security groups. For example, if there is a directory on the file server specifically for “Payroll,” then we normally see folks creating a Global security group that corresponds to “Payroll,” populating that group with the users who make up that department or function, and then assigning permissions from there.

But this can get confusing, because in some circumstances, another person from some other department, or the President or CFO say, may require access to certain resources in this folder. So now, the Payroll Global group contains all the usual Payroll members, as well as that other guy (or gal).

To avoid these situations, and for other reasons that will become apparent shortly, there is another way to organize permissions, which is much more efficient. And that way is:

  • Global groups = sets of people/individuals (e.g. Finance Department, Human Resources)
  • Domain local groups = resources on the Domain (e.g. file shares, data access)

I’ll give you a practical example of this. In many organizations, there may be some subsets of data that are considered particularly sensitive, because they contain ePHI (electronic Protected Health Information), or PII (Personally Identifiable Information), etc. This might include Social Security numbers, medical information and history, and other personal data.

If you have a directory like “Finance” (which probably contains a fair amount this type of data) then you might feel tempted to put the members of your Finance department into this group, and grant them access to the folder using that group. But instead, you should do this:

Create three Domain local / resource groups to manage access to this resource:

  • Finance Share Read-Only (Domain local group)
  • Finance Share Read-Write (Domain local group)
  • Finance Share Deny (Domain local group)

Then, you can populate each of the above groups with other groups (of individuals), such as:

  • The Finance Department (Global group) goes into Finance Share Read-Write
  • Certain other users (individuals from the Management team) might also be included in the Read-Write membership for the Finance Share
  • Board of Directors / Governors might have membership in Finance Share Read-Only, or maybe an auditor occaisionally joins this group, for instance
  • Other departments such as Admin, Operations, HR and so forth might be included in the Finance Share Deny group

Why do it this way?

Well, one of the main benefits is: Active Directory becomes a “one-stop shop” for managing permissions and for reporting–it is quick and easy to determine who has what access, simply by browsing the Domain local groups. Furthermore, when someone temporary comes in (e.g. an auditor), you have more flexibility in granting & restricting permissions. A typical Finance user might have more access than you’d like to see the auditor have–including certain directories that you may even want to Deny to the auditor. But you can still give them temporary read access to the Finance share on your file server, simply by using that Domain local group.

Another benefit is that you never have to go onto a file server or other network location and manage permissions/Access Control Lists (ACL’s) on the items themselves. All such resources would be setup exactly once with corresponding groups for Read-Only, Read-Write and Deny. After that, all your management takes place through Active Directory Users & Computers.

In order for this to work correctly, you need to ensure that every resource on the domain has its corresponding Domain local groups. I would furthermore add that all other memberships on the ACL’s of local resources be removed. They can be added back to the Domain local group easily enough.

And that’s it.

You probably thought this post was going to be about something more advanced like claims-based authentication. Sorry to disappoint. It’s true: claims add a powerful abstraction layer, wherein a subject can make a certain set of statements (claims) about itself, and is issued a token based on said claims. So for example: Jim signs in on his corporate-issued laptop and is granted full network access, but when he signs in using the same credentials from his personal iPad, that access is more restricted. Why? Because the statements / claims being made during the authentication process include not only identity (username) but also device type.

This capability of providing a claims-based authentication is indeed available in Windows Server (one of its lesser-known features), but it is important to remember that claims aren’t for everyone, and they aren’t always necessary. And since I don’t even see the traditional tools being used well yet, let’s not get ahead of ourselves! Maybe we’ll revisit this topic another day.

 

Technical , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

03Dec

How to require MFA for Azure AD Join, and enable Enterprise State Roaming

Hey folks! We have already covered a few posts on Azure AD Premium and Conditional access; and that's great--because you do things like enforce requirements like Multi-factor Auth, but only in situations where devices are unmanaged. This provides a way better user experience than enabling MFA... read more
Why not Defender for Mobile?
28Apr

Why aren’t you protecting your mobile devices with Microsoft Defender?

Recently I was on a call with Microsoft, and I was surprised to hear that adoption for Microsoft Defender on mobile devices is still extremely low. But according to other industry partners, this is true of Mobile Threat Defense (MTD) solutions in general. I think... read more
28Jun

Does Microsoft backup my data in Office 365? Do I need more or additional backup?

A new reader question came in, and frankly it's one that I hear a lot. I'm sure I have smatterings referring to this issue in other articles, but this one should stand to clear up the questions once and for all--this will be something I... read more
14Apr

How to initiate a test failover to Azure Site Recovery

If you've been following along with this series, we have already: Extended our On-Premises Network to Azure Virtual Network Replicated Hyper-V Virtual Machines to an Azure Site Recovery Vault In this post we are going to perform a test fail-over of on-premises virtual machines to Azure. Since... read more
04Sep

Windows Hello for Business: Azure AD Join vs. Hybrid Join

Windows Hello for Business replaces a traditional password when signing into your workstation, with a stronger two-factor authentication. One factor being some kind of local gesture such as a PIN, fingerprint or facial recognition, and the other being a key or certificate that is bound... read more
20Jul

How to Encrypt your Hyper-V Host Server using the GUI

Full disk encryption is becoming more important in the SMB.  I recommend this for every Windows 10 Pro PC, and also for your Windows Servers. Small businesses often have a single physical Hyper-V host server, maybe two. And these are usually located in a network... read more
27Apr

How to enable 2-factor or multi-factor authentication (2FA or MFA)

Enabling a second factor for authentication is an important (and often very easy) thing to do.  Usually this can be accomplished in just a few clicks for most websites and cloud services. It is highly recommended that you take the time to do this, especially for... read more
15Jun

Implementing the ACSC Essential 8 with Microsoft 365

I have had this request on my backburner for a while, and I finally got around to knocking it out: from a reader in the Land Down Under--Australia! Update: Microsoft has a much-improved set of Learn articles on the Essential Eight, with detailed guidance on implementing... read more
17Sep

Enable the Archive Mailbox and modify the default retention policy (for cloud-only and hybrid users)

In any subscription that includes Exchange Online Archiving, such as Office 365 E3 or Microsoft 365 Business (as well as any subscription to which the Archiving add-on is applied), it is possible to enable an unlimited storage container for those hoarders out there, known as... read more
15Jun

How to migrate from Office 365 Essentials Dashboard Integration to Azure AD Connect

As we've previously discussed on this blog, Windows Server Essentials comes with the ability to integrate with Azure AD & Office 365, using the Essentials Dashboard plugin. It is important to know that this technology is very different from the more widely adopted Azure AD... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me