← Go back to the Active Directory Security Glossary
Group permissions are the access permissions applied to groups in Active Directory.
Once created, users are assigned to them. It’s like joining a club where someone else gets to decide whether you’re let in or not (as is often the case for any club worth joining).
The consolation for users is that they can be members of more than one group. For example, a department might set up a new project, which could be configured in Active Directory with its own group permissions.
Existentially speaking, Active Directory is all about being in the right group.
The first principle of network security is that humans spell trouble. (And this was true before zero trust became a buzzword).
Why? Put simply, because humans like doing things on networks that are either deeply unwise or are probably OK, but the admin still feels nervous about. Humans also have a habit of leaking credentials during phishing attacks, rendering their access potentially untrustworthy.
That’s why Active Directory has user permissions: to let people do some things but not other things. Interestingly, there are no humans in Active Directory, only objects. An object, of course, is not the same as a human, which makes the whole scheme seem impersonal. But at least admins sleep better.
The concept of administrative permissions is one of the most loaded and misunderstood in Active Directory. For this, we must blame history.
The networking from which Active Directory emerged in the 1990s was hierarchical. If you were an admin, you were in effect a digital god and could do anything you wanted. This was a bad idea and is why Active Directory has different types of admins – domain admins, enterprise admins, scheme admins, and some group rights – each conferring different powers.
It’s like a constellation of gods in which power is shared. Helpfully, some admin permissions can also be delegated to users or groups on the basis of least privilege. Despite this design, many users see the words “admin permissions” and imagine an all-powerful puppet master.
Thankfully, this is not true. Turns out, AD’s small step to set up different kinds of admins was indeed a great leap forward for mankind.