Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Use Microsoft Active Directory for authentication

Groups spanning domains with Microsoft Active Directory

Overview

Functional levels that apply to Microsoft AD with WAS v8...

• Domain Functional Levels
  • Native
  • Supported by Windows Server 2008 and Windows Server 2008 R2
  • Default in Windows 2008

  Required for group nesting, and universal groups. Forest functional levels do not directly affect group membership. The Windows 2008 OS is the exception.

• Forest Functional Levels
  • Windows Server 2008 or Windows Server 2008 R2
  • All domains operate at the Windows Server 2008 domain functional level.

  If the forest functional level is set to Windows Server 2008, then that also makes the domain functional level for all domains to be Windows Server 2008 Native level, which adds to the group nesting and Universal groups features to Microsoft AD.

Microsoft Active Directory group types

Groups in Microsoft AD contain...

• user objects
• other group objects (group nesting)
• other objects types, such as computers

Group type determines the type of task managed with the group. Group scope determines whether the group can have members from multiple domains or a single domain.

Groups are typically a collection of user accounts. Members receive permission given to groups. Users can be members of multiple groups. Groups can be members of other groups, which are nested groups.

In WAS, security roles of the individual, which map to application permissions or authorizations, are bound to either users or groups at application deployment time. The ability to act in a given role is under the control of the directory administrator, instead of the WebSphere administrator. Because the job of the directory administrator is to create and delete users, change group memberships for users, and other tasks, this approach is generally the correct division of responsibilities.

Security groups	Grant permissions to resources
Distribution groups	Used by Windows applications as lists for nonsecurity-related functions. Used for sending email messages to groups of users. We cannot grant Windows permissions to security groups.

WAS can use either type of group. Security groups are typically bound to WAS security roles.

Microsoft AD group scopes

• Domain local group:

  • Windows usage: Members of this group can come from any domain, but can access Windows resources only in the local domain. Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native, and interim functional level of domains and forests.

  • Restriction: We cannot define group nesting in a domain local group. A domain local group cannot be a member of another domain local group or any other group in the same domain.

  • WebSphere usage: Users are not typically placed in domain - local groups due to these restrictions. WAS security roles are not typically bound to domain local groups.

• Global Group:

  • Windows usage: Members of this group originate from a local domain, but can access Windows resources in any domain. The global group is used to organize users who share similar Windows network access requirements. We can add members only from the domain in which the global group is created. We can use this group to assign permissions to gain access to Windows resources that are located in any domain in the domain, tree, or forest.

    We can group users with similar function under global scope and give permission to access a Windows resource, such as a printer or shared folder and files, that is available in local or another domain in the same forest. We can use global groups to grant permission to gain access to Windows resources that are located in any domain in a single forest as their memberships are limited. We can add user accounts and global groups only from the domain in which global group is created.

    Nesting is possible for global groups within other groups as you can add a global group into another global group from any domain. Members of a global group can be members of a domain - local group. Global groups exist in all mixed, native, and interim functional levels of domains and forests.

    WebSphere usage: Global groups are visible on every domain controller, but memberships are only visible for local users. That is, you can see your group memberships only if you query your home domain controller.

    A global group should contain groups of users. Global groups are intended to be included in universal groups.

• Universal Group:

  • Windows usage: Members in this group can come from any domain and access Windows resources in multiple domains. Universal group memberships are not limited like global groups. All domain user accounts and groups can be members of a universal group.

  • Restrictions:

    • Universal groups are available when the domain is at a Windows mixed functional level.

    • It can be expensive to replicate this data across the forest. Group definitions and deletions are relatively rare compared to the equivalent user actions, and nested group membership changes are typically rare compared to memberships of users within groups,

  • WebSphere usage:

    • Universal Groups and their memberships are visible on every domain controller in the forest.

    • Universal groups are also visible when using the Global Catalog.

      To be useful, all user objects must be directly in the universal group,

  • Guidelines

    1. Assign permissions to universal groups for Windows resources in any domain in the network.

    2. Use universal groups only when their membership is static. Changes in membership can cause excessive network traffic between domain controllers. Membership of universal groups can be replicated to many domain controllers.

    3. Add global groups from several domains to a universal group.

    4. Assign permissions for access to a Windows resource to the universal group and for use by WAS group membership resolution across multiple domains.

    5. Use a universal group in the same way as a domain local group to assign resource permissions.

Related

Microsoft AD Global Catalog
Options for finding group membership within a Microsoft AD forest
Authentication using Microsoft AD
Locate user group memberships in a LDAP registry
Authenticate users with LDAP registries in a Microsoft AD forest
Use Microsoft AD for authentication

+

Search Tips   |   Advanced Search