3.3 Explain important concepts pertaining to identity and access management for server administration.
📘CompTIA Server+ (SK0-005)
1. What Are User Groups?
A user group is a collection of user accounts that are managed together.
Instead of assigning permissions to each user individually, administrators:
- Place users into a group
- Assign permissions to the group
All users in the group automatically get the same access rights.
Key Idea:
👉 Groups simplify permission management
2. Why User Groups Are Important
User groups are used to:
- Reduce administrative work
- Improve security
- Ensure consistent access control
- Support scalability (easy to manage many users)
Example (IT Environment):
Instead of assigning file access to 100 users one by one:
- Create a group called “DatabaseAdmins”
- Add all database administrators to the group
- Assign permissions once to the group
3. Types of User Groups
3.1 Security Groups
- Used to assign permissions to resources
- Most important type for the exam
Used for:
- File access
- Folder permissions
- Application access
- Server roles
👉 Example:
- A group called “WebServerAdmins” can be given full control over a web server
3.2 Distribution Groups
- Used for communication (not security)
- Common in email systems
Used for:
- Sending emails to multiple users at once
👉 Example:
- Sending updates to all IT staff using one group email
⚠️ Important:
- Do NOT assign permissions using distribution groups
4. Group Scope (Important Concept)
Group scope defines where the group can be used.
4.1 Local Groups
- Exist on a single server or system
- Used to control access to local resources
👉 Example:
- A local group on a server controlling access to that server only
4.2 Domain Local Groups
- Used within a domain
- Assign permissions to resources in the same domain
👉 Best for:
- Resource access (files, printers, servers)
4.3 Global Groups
- Contain users from the same domain
- Can be used across multiple domains
👉 Best for:
- Organizing users based on roles (e.g., HR, IT, Finance)
4.4 Universal Groups
- Can contain users from multiple domains
- Used in large enterprise environments
👉 Best for:
- Cross-domain access
5. Group Nesting
Group nesting means adding one group into another group.
Why use nesting?
- Simplifies management
- Reduces duplication
- Supports scalable design
Example:
- Add “IT Support Team” group into “ServerAdmins” group
- Now IT Support Team inherits server admin permissions
Best Practice:
👉 Follow structured models like:
- AGDLP (Accounts → Global → Domain Local → Permissions)
6. Permissions and User Groups
Permissions define what users can do.
When using groups:
- Permissions are assigned to groups
- Users inherit permissions from group membership
Types of Permissions:
- Read
- Write
- Execute
- Modify
- Full Control
Key Rule:
👉 Users should get permissions through groups, not direct assignment
7. Principle of Least Privilege
This is a critical exam concept.
It means:
- Users should only have the minimum access needed
How groups help:
- Create role-based groups
- Assign only necessary permissions
👉 Example:
- A monitoring group should not have administrative rights
8. Role-Based Access Control (RBAC)
User groups are commonly used in RBAC.
RBAC = Access based on job role
Steps:
- Define roles (e.g., Admin, Operator, Auditor)
- Create groups for each role
- Assign permissions to groups
- Add users to appropriate groups
👉 Example:
- BackupOperators group → can perform backups but cannot modify system settings
9. Default/System Groups
Operating systems create built-in groups.
Examples:
- Administrators
- Users
- Backup Operators
- Power Users
Important Notes:
- These groups already have predefined permissions
- Should be used carefully to avoid security risks
10. Best Practices for User Groups
10.1 Use Groups Instead of Individual Permissions
- Easier to manage
- Reduces errors
10.2 Follow Naming Conventions
- Use clear and consistent names
- Example:
- “HR_ReadOnly”
- “DB_Admins”
10.3 Limit Group Membership
- Avoid adding too many users
- Prevent unnecessary access
10.4 Regularly Review Groups
- Remove inactive users
- Check for excessive permissions
10.5 Avoid Overlapping Permissions
- Too many groups can cause confusion
- Leads to unintended access
10.6 Document Group Usage
- Keep records of:
- Group purpose
- Assigned permissions
11. Common Issues and Risks
11.1 Privilege Creep
- Users accumulate access over time
👉 Solution:
- Periodic audits
11.2 Misconfigured Groups
- Incorrect permissions assigned
👉 Solution:
- Test and verify group permissions
11.3 Nested Group Complexity
- Too many nested groups become hard to manage
👉 Solution:
- Keep structure simple and documented
12. Exam Tips (Very Important)
- Security groups = used for permissions
- Distribution groups = used for email only
- Know group scope types (Local, Global, Domain Local, Universal)
- Understand group nesting (AGDLP model)
- Apply Principle of Least Privilege
- Use RBAC with groups
- Avoid assigning permissions directly to users
Final Summary
User groups are a core part of identity and access management. They:
- Simplify permission management
- Improve security
- Support scalable administration
Instead of managing users individually:
👉 Administrators manage groups, and groups manage access
