Security Group Management Test

Groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration.

Group scope normally describes the type of users that should be clubbed together in a way that is easy for their administration. Therefore, groups play an important part in domain. One group can be a member of other group(s), which is known as Group nesting. One or more groups can be members of any group in the entire domain(s) within a forest. The different types of group scopes are as follows:

  • Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which the domain local group was created. Domain local groups can exist in all mixed, native, and interim functional level of domains and forests. Domain local group memberships are not limited as users can add members as user accounts and universal and global groups from any domain. Nesting cannot be done in a domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
  • Global Group: Users with similar functions can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in the same forest. Simply put, global groups can be used to grant permissions to gain access to resources that are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which the global group is created. Nesting is possible in Global groups within other groups as users can add a global group into another global group from any domain.They can be members of a Domain Local group to provide permission to domain specific resources (like printers and published folder). Global groups exist in all mixed, native, and interim functional level of domains and forests.
  • Universal Group Scope: These groups are precisely used for email distribution and can be granted access to resources in all trusted domains. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of a universal group. Universal groups can be nested under a global or Domain Local group in any domain.

Administrators may want to be alerted whenever a group/member is created, modified, or deleted, as such changes may sometimes trigger performance or operational changes. For instance, changes in the membership of Universal groups will impose global catalog replication throughout an entire enterprise. Also, changes in group configuration, if performed carelessly, can pose a serious security threat, as it may allow malicious users access to critical directory resources. This is why, it is important that administrators periodically run the Security Group Management test. This test keeps track of changes made to groups and members, and promptly notifies administrators when such changes are made. Moreover, the detailed diagnosis of the test also reveals the details of the changes – for instance, if a global group is created, then detailed metrics provided by the test indicate which group was created and which user created the group. This enables administrators to determine whether/not the change was made by an authorized user.

Target of the test : An Active Directory

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every Active Directory site that is being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.

Host

The IP address of the machine where the Active Directory is installed.

Port

The port number through which the Active Directory communicates. The default port number is 389.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD Frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Universal group created

Indicates the number of universal groups created during the last measurement period.

Number

The detailed diagnosis of this measure reveals the universal groups that were newly created and the user who created each group.

Universal group changed

Indicates the number of universal groups that were changed during the last measurement period.

Number

The detailed diagnosis of this measure reveals the universal groups that were changed and the user who made the change. 

Universal group deleted

Indicates the number of universal groups that were deleted during the last measurement period.

Number

The detailed diagnosis of this measure reveals the universal groups that were deleted and the user who deleted the group. 

Member added to universal group

Indicates the number of members added to universal groups during the last measurement period.

Number

The detailed diagnosis of this measure reveals the universal groups to which members were added and the user who added the members.  

Member removed from universal group

Indicates the number of members removed from universal groups during the last measurement period.

Number

The detailed diagnosis of this measure reveals the universal groups from which members were removed and the user who removed the members.  

Global group created

Indicates the number of global groups created during the last measurement period.

Number

The detailed diagnosis of this measure reveals the global groups that were newly created and the user who created each group. 

Global group changed

Indicates the number of global groups that were changed during the last measurement period.

Number

The detailed diagnosis of this measure reveals the global groups that were changed and the user who made the change. 

Global group deleted

Indicates the number of global groups that were deleted during the last measurement period.

Number

The detailed diagnosis of this measure reveals the global groups that were deleted and the user who deleted each group. 

Member added to global group

Indicates the number of members added to global groups during the last measurement period.

Number

The detailed diagnosis of this measure reveals the global groups to which members were added and the user who added the members.  

Member removed from global group

Indicates the number of members removed from global groups during the last measurement period.

Number

The detailed diagnosis of this measure reveals the global groups from which members were removed and the user who removed the members.  

Local group created

Indicates the number of local groups created during the last measurement period.

Number

The detailed diagnosis of this measure reveals the local groups that were newly created and the user who created each group. 

Local group changed

Indicates the number of local groups that were changed during the last measurement period.

Number

The detailed diagnosis of this measure reveals the local groups that were changed and the user who made the change. 

Local group deleted

Indicates the number of local groups that were deleted during the last measurement period.

Number

The detailed diagnosis of this measure reveals the local groups that were deleted and the user who deleted each group. 

Member added to local group

Indicates the number of members added to local groups during the last measurement period.

Number

The detailed diagnosis of this measure reveals the local groups to which members were added and the user who added the members.  

Member removed from local group

Indicates the number of members removed from local groups during the last measurement period.

Number

The detailed diagnosis of this measure reveals the local groups from which members were removed and the user who removed the members.