Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
Phone Get Quote
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Why are security groups essential?

Security groups in Active Directory (AD) bring together users, computers, and other groups so administrators can manage them simultaneously. Access permissions to various resources in the domain can be assigned through security groups. They are also used to assign user rights through Group Policy settings. This makes them susceptible to attacks from intruders seeking to compromise your business’ vital information. Here are five Active Directory security group best practices to help ensure a secure AD environment.

Top 5 AD security group best practices


Utilize group nesting

Making one AD group a member of another is called nesting. Microsoft's AGDLP and AGUDLP group nesting strategy designates global groups as account groups containing user accounts and domain local groups as resource groups for assigning permissions to resources. Universal groups can be used to grant permissions across domains in multi-domain environments. This strategy establishes role-based access control and simplifies access management as users and their permissions are handled separately.

AGDLP - Accounts, global groups, domain local groups, permissions AGUDLP - Accounts, global groups, universal groups, domain local groups, permissions

Follow naming conventions

Using standard naming conventions throughout a domain is vital for network administration. The names of your security groups should make each group’s purpose and associated permissions clear. For example, take the name DL-Marketing-R. This precise name describes the group’s scope (DL-Domain Local/G-Global/U-Universal), the role of its members, and the permissions assigned to the group (R-Read/C-Change).


Follow the principle of least privilege

In AD, it’s imperative for administrators to keep track of users and their privileges. Although security groups make it easier to assign permissions to many objects at once, these permissions must be kept to a bare minimum. Aside from administrators, users don’t usually require Full Control access to a resource. Exercise caution when assigning permissions to security groups to ensure that members are allowed just enough leeway to complete their assigned tasks.


Cut down on extras

When managing security groups, it’s important to ensure that a user is not part of too many groups. During logon, the user's session ticket is assembled, containing the user’s SID as well as the SIDs of all the security groups the user belongs to. When a user is a member of too many groups (more than 1,015), this can lead to token bloat, where their Kerberos token becomes too large for Windows to handle, causing authentication failure. In large IT environments, it’s recommended that you stick to a role-based access control and reduce the group membership of individual users.


Keep tabs on changes to privileged groups

Always look out for suspicious activities by constantly monitoring your AD security groups. Default security groups whose rights and privileges are extensive enough to effect domain or even forest-wide changes, such as the Domain Admin and Enterprise Admin groups, need closer examination. Any unauthorized membership changes to these privileged groups might mean that your network security is compromised.

Simplify your security group management
using ADAudit Plus

Using native tools to keep track of changes to AD security groups can be a labor-intensive process. To accomplish this task in just a few clicks, check out ADAudit Plus—a UBA-driven auditor from ManageEngine. ADAudit Plus provides real-time updates on all changes made to AD groups, including type, scope, and membership changes, bringing much needed relief to administrators.

Download a free, 30-day trial

ADAudit Plus Trusted By