Tag: group

Microsoft: Active Directory Domain Service Security Group

by Samuel Mitchell, posted in Microsoft, windows, Windows server

Security group scope

1. Universal

  • Forest users accessing its own Forest resources. (FF)
  • It can contain a combination of Global and Domain Local group

E.g. Enterprise Admins, Schema Admins (in the Users container)

2. Global

  • Domain users accessing its own Forest resources. (DF)

E.g. Domain Users, Domain Admins (in the Users container)

3. Domain Local

  • Forest users accessing Domain resources. (FD)
  • This is only group that can have members from an external forest

E.g. Administrators, Account Operators, Backup Operators, Print Operators (in the Builtin container)

Group Policy Object Processing And Precedence

by Samuel Mitchell, posted in Microsoft, windows, Windows server

This article is about the order of processing and precedence of the Group Policy Object (GPO).

There is a acronym used to remember the order of processing:

LSDOU – Local, Site, Domain, OU.

Local GPO

Site linked GPO

Domain linked GPO

Organizational Unit linked GPO

The rule of thumb with precedence for the LSDOU order of processing is that the last GPO applied takes precedence which will be the OU linked GPO. There are additional rules to consider such as when multiple GPOs are applied to an object (e.g. Domain), the GPO are process according to order from top to bottom (1 to …) and the top GPO takes precedence.

Inheriting Parent GPO

In some case there make be nested OUs or Parent and Child domains in which GPOs are inherited from the Parent automatically. The inherited GPOs has the least precedence by default on the child node which can be changed by rearranging the link order.

Enforcing GPO

The precedence of the GPO can change by Enforcing it which will allow it to move to the top (become number 1).

 

PowerShell: Get a List of AD Groups a specific user is a member of

by Samuel Mitchell, posted in Microsoft, windows, Windows server

Powershell is very versatile and with this wonderful tool, I will share how to get the subject result.

There are two ways of doing this:

  1. Using the cmdlet

Get-ADPrincipalGroupMembership [username] | Format-Table Name -AutoSize

I used the cmdlet with Format-table to output property Name in a table format

2. Using the cmdlet

Get-ADUser [username] -Properties memberof | Select -ExpandProperty memberof | Get-ADGroup | Format-Table Name -AutoSize

I used the additional parameter -Properties to get the variable MemberOf then use the Select cmdlet to expand the array then pipe it to the Get-ADGroup to get the name of group to list it in a table format.