AD Groups, Service Accounts & GPO

Last updated: January 13, 2026

📚 Reference: This guide aligns with Group Policy Overview and Group Managed Service Accounts

The Day I Learned About Proper Group Strategy

Early in my career, I inherited an environment where every user was a member of Domain Admins "temporarily" – some for over three years. When I asked why, the response was "it's easier than figuring out permissions."

That audit failure waiting to happen taught me the importance of proper group strategy, service account management, and Group Policy design. This article shares what I've learned managing these critical AD components across hundreds of deployments.

Active Directory Groups: The Foundation of Access Control

Groups are the workhorses of Active Directory permissions. Every well-designed AD environment I've built relies on strategic group usage.

Group Types

AD has two fundamental group types:

Security Groups

Used for assigning permissions to resources.

# Create security group
New-ADGroup -Name "Finance-FullAccess" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Security Groups,OU=Groups,DC=company,DC=com" `
    -Description "Full access to Finance file shares"

Distribution Groups

Used for email distribution (Exchange, Microsoft 365).

# Create distribution group
New-ADGroup -Name "All-Finance-Team" `
    -GroupScope Universal `
    -GroupCategory Distribution `
    -Path "OU=Distribution Groups,OU=Groups,DC=company,DC=com" `
    -Description "Email distribution for Finance department"

Group Scopes: Understanding the Differences

This is where I see most administrators get confused.

Domain Local Groups

Scope: Can contain members from any domain in the forest
Use: Assign permissions to resources in the same domain
My Use Case: Resource access groups

Example: Finance-FileServer-ReadAccess (Domain Local)
├── Members: Finance-Users (Global Group)
└── Assigned To: \\FileServer\Finance (NTFS permissions)

Global Groups

Scope: Can only contain members from the same domain
Use: Organize users by role or department
My Use Case: User organization groups

Example: Finance-Users (Global)
├── Members: Individual user accounts from company.com
└── Member Of: Finance-FileServer-ReadAccess (Domain Local)

Universal Groups

Scope: Can contain members from any domain
Use: Cross-domain group membership
My Use Case: Multi-domain environments

Example: All-VPN-Users (Universal)
├── Members: Corp-VPN-Users (Global from corp.company.com)
│          Sales-VPN-Users (Global from sales.company.com)
└── Assigned To: VPN server access policy

The AGDLP Strategy (My Standard Approach)

Accounts → Global groups → Domain Local groups → Permissions

Real-World AGDLP Example

# Step 1: Create Global group for users
New-ADGroup -Name "Finance-Users" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Department Groups,OU=Groups,DC=company,DC=com"

# Step 2: Add users to Global group
Add-ADGroupMember -Identity "Finance-Users" `
    -Members "jsmith","kjones","rbrown"

# Step 3: Create Domain Local group for resource access
New-ADGroup -Name "FinanceShare-Modify" `
    -GroupScope DomainLocal `
    -GroupCategory Security `
    -Path "OU=Resource Groups,OU=Groups,DC=company,DC=com"

# Step 4: Add Global group to Domain Local group
Add-ADGroupMember -Identity "FinanceShare-Modify" `
    -Members "Finance-Users"

# Step 5: Assign permissions to Domain Local group
$acl = Get-Acl "\\FileServer\Finance"
$permission = "COMPANY\FinanceShare-Modify","Modify","ContainerInherit,ObjectInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Set-Acl "\\FileServer\Finance" $acl

Group Nesting Best Practices

Good Nesting Strategy:
IT-Admins (Global)
├── IT-HelpDesk (Global)
├── IT-SysAdmins (Global)
└── IT-NetworkAdmins (Global)

Resource Access:
ServerRoom-Access (Domain Local)
├── IT-SysAdmins (Global)
└── Facilities-Managers (Global)

Avoid deep nesting (I limit to 3 levels):

# Check group nesting depth
function Get-ADGroupNesting {
    param($GroupName, $Depth = 0)
    
    if ($Depth -gt 3) {
        Write-Warning "Group $GroupName exceeds recommended nesting depth!"
    }
    
    $members = Get-ADGroupMember -Identity $GroupName
    foreach ($member in $members | Where-Object {$_.objectClass -eq 'group'}) {
        Get-ADGroupNesting -GroupName $member.SamAccountName -Depth ($Depth + 1)
    }
}

Group Management Scripts

# Find empty groups
Get-ADGroup -Filter * -Properties Members | 
    Where-Object {$_.Members.Count -eq 0} | 
    Select-Object Name, DistinguishedName

# Find groups a user is member of (including nested)
Get-ADUser jsmith -Properties MemberOf | 
    Select-Object -ExpandProperty MemberOf | 
    ForEach-Object {Get-ADGroup $_} | 
    Select-Object Name, GroupScope

# Audit group membership changes
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4728,4729,4732,4733,4756,4757
} | Select-Object TimeCreated, Message

# Export group membership
Get-ADGroup "Finance-Users" -Properties Members | 
    Select-Object -ExpandProperty Members | 
    ForEach-Object {Get-ADUser $_} | 
    Select-Object Name, SamAccountName, EmailAddress | 
    Export-Csv "C:\Reports\Finance-Users.csv" -NoTypeInformation

Service Accounts: The Right Way

Service accounts are some of the most critical and often poorly managed objects in AD.

Types of Service Accounts I Use

1. Standard Domain User Accounts (Legacy Method)

# Create standard service account
New-ADUser -Name "svc-SQLServer" `
    -SamAccountName "svc-SQLServer" `
    -UserPrincipalName "[email protected]" `
    -Path "OU=Service Accounts,OU=Corporate,DC=company,DC=com" `
    -AccountPassword (ConvertTo-SecureString "ComplexP@ssw0rd123!" -AsPlainText -Force) `
    -Enabled $true `
    -PasswordNeverExpires $true `
    -CannotChangePassword $true `
    -Description "SQL Server service account"

# Configure SPNs
setspn -A MSSQLSvc/SQLSERVER01.company.com:1433 svc-SQLServer

Problems with this approach:

Manual password management
Password never expires = security risk
Shared credentials risk exposure

2. Managed Service Accounts (MSA)

Introduced in Windows Server 2008 R2 – automatic password management for single server.

# Create MSA
New-ADServiceAccount -Name "svc-WebApp-MSA" `
    -RestrictToSingleComputer `
    -AccountPassword (ConvertTo-SecureString "TempP@ss123!" -AsPlainText -Force)

# Install MSA on server
Install-ADServiceAccount -Identity "svc-WebApp-MSA"

# Configure service to use MSA
$service = Get-WmiObject -Class Win32_Service -Filter "Name='MyWebService'"
$service.Change($null,$null,$null,$null,$null,$null,"COMPANY\svc-WebApp-MSA$",$null,$null,$null,$null)

Limitation: Only works on single computer

3. Group Managed Service Accounts (gMSA) – My Preferred Method

Can be used across multiple servers with automatic password rotation.

Creating gMSA Step-by-Step

# Step 1: Create KDS Root Key (ONE TIME per domain)
# In production, omit -EffectiveImmediately and wait 10 hours for replication
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

# Verify KDS Root Key
Get-KdsRootKey

# Step 2: Create security group for servers that can use gMSA
New-ADGroup -Name "WebServers-gMSA-Access" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Service Account Groups,OU=Groups,DC=company,DC=com"

# Add web servers to group
Add-ADGroupMember -Identity "WebServers-gMSA-Access" `
    -Members "WEB01$","WEB02$","WEB03$"

# Step 3: Create gMSA
New-ADServiceAccount -Name "svc-WebApp" `
    -DNSHostName "svc-WebApp.company.com" `
    -PrincipalsAllowedToRetrieveManagedPassword "WebServers-gMSA-Access" `
    -ServicePrincipalNames "HTTP/webapp.company.com","HTTP/webapp" `
    -Description "Web Application service account (gMSA)"

# Step 4: Install gMSA on web servers
# Run on each web server:
Install-ADServiceAccount -Identity "svc-WebApp"

# Verify installation
Test-ADServiceAccount -Identity "svc-WebApp"

# Step 5: Configure service/application pool to use gMSA
# For IIS Application Pool:
Import-Module WebAdministration
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.identityType -Value 3
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.userName -Value "COMPANY\svc-WebApp$"
Set-ItemProperty IIS:\AppPools\MyAppPool -Name processModel.password -Value ""

# For Windows Service:
sc.exe config "MyService" obj= "COMPANY\svc-WebApp$" password= ""

Service Account Best Practices

From my deployments:

Naming Convention

svc-{Application}-{Environment}
Examples:
- svc-SQLProd
- svc-WebApp-Dev
- svc-BackupAgent

Dedicated OU Structure

OU: Service Accounts
├── OU: Standard Service Accounts
├── OU: Managed Service Accounts
└── OU: Group Managed Service Accounts

Least Privilege

# Grant only required permissions
# Example: SQL service account needs:
# - Log on as a service
# - Local admin on SQL server
# - Specific database permissions

# DON'T add to Domain Admins!

Regular Auditing

# Find service accounts with admin privileges
$adminGroups = @("Domain Admins", "Enterprise Admins", "Schema Admins")
foreach ($group in $adminGroups) {
    Get-ADGroupMember -Identity $group -Recursive | 
        Where-Object {$_.Name -like "svc-*"} | 
        Select-Object Name, @{Name="AdminGroup";Expression={$group}}
}

# Find service accounts not used in 90 days
Search-ADAccount -AccountInactive -TimeSpan 90 -UsersOnly | 
    Where-Object {$_.Name -like "svc-*"} | 
    Select-Object Name, LastLogonDate

Migrating from Standard to gMSA

# Document current service account usage
$services = Get-WmiObject Win32_Service | 
    Where-Object {$_.StartName -like "*svc-WebApp*"} | 
    Select-Object Name, StartName, State

# Create gMSA (as shown above)
# Install gMSA on target servers
# Update service configuration
# Test thoroughly!
# Disable old account after verification period

Set-ADUser -Identity "svc-WebApp-OLD" -Enabled $false

Group Policy Objects (GPO): Centralized Configuration Management

GPOs are how I enforce configurations across thousands of computers without touching each one.

GPO Architecture

GPO Processing Order (LSDOU)

GPOs apply in this order (later policies win in case of conflict):

Local Computer Policy
Site-level GPOs
Domain-level GPOs
OU-level GPOs (parent to child)

Creating and Linking GPOs

# Create new GPO
New-GPO -Name "Workstation-Security-Baseline" -Comment "Security settings for workstations"

# Link GPO to OU
New-GPLink -Name "Workstation-Security-Baseline" `
    -Target "OU=Workstations,OU=Corporate,DC=company,DC=com" `
    -LinkEnabled Yes

# Set link order (lower number = higher priority)
Set-GPLink -Name "Workstation-Security-Baseline" `
    -Target "OU=Workstations,OU=Corporate,DC=company,DC=com" `
    -Order 1

# Enforce GPO (cannot be blocked by child OUs)
Set-GPLink -Name "Security-Baseline" `
    -Target "DC=company,DC=com" `
    -Enforced Yes

GPO Structure: Computer vs User Configuration

GPO: Workstation-Security-Baseline
├── Computer Configuration
│   ├── Policies
│   │   ├── Windows Settings
│   │   │   ├── Security Settings
│   │   │   │   ├── Account Policies (Password, Lockout)
│   │   │   │   ├── Local Policies (Audit, User Rights)
│   │   │   │   ├── Windows Firewall
│   │   │   │   └── Advanced Audit Policy
│   │   │   └── Scripts (Startup, Shutdown)
│   │   └── Administrative Templates
│   │       ├── Windows Components
│   │       ├── System
│   │       └── Network
│   └── Preferences
│       ├── Windows Settings (Registry, Files)
│       └── Control Panel Settings
└── User Configuration
    ├── Policies
    │   ├── Windows Settings
    │   │   └── Scripts (Logon, Logoff)
    │   └── Administrative Templates
    │       └── User-specific settings
    └── Preferences
        ├── Drive Maps
        ├── Printers
        └── Registry

Common GPOs I Deploy

1. Security Baseline GPO

# Password Policy (Domain Level Only!)
$GPO = "Default Domain Policy"

# Set password requirements
Set-GPRegistryValue -Name $GPO -Key "HKLM\System\CurrentControlSet\Control\Lsa" `
    -ValueName "MinimumPasswordLength" -Type DWord -Value 14

# Account Lockout Policy
Set-GPRegistryValue -Name $GPO -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
    -ValueName "LockoutDuration" -Type DWord -Value 30

# Audit Policy
$auditSettings = @"
AuditSystemEvents = 3
AuditLogonEvents = 3
AuditObjectAccess = 3
AuditPrivilegeUse = 3
AuditPolicyChange = 3
AuditAccountManage = 3
"@

# Enable advanced audit policy
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable

2. Workstation Hardening GPO

$GPO = "Workstation-Hardening"

# Disable removable storage
Set-GPRegistryValue -Name $GPO `
    -Key "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices" `
    -ValueName "Deny_All" -Type DWord -Value 1

# Enable Windows Firewall
Set-GPRegistryValue -Name $GPO `
    -Key "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" `
    -ValueName "EnableFirewall" -Type DWord -Value 1

# Disable AutoRun
Set-GPRegistryValue -Name $GPO `
    -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
    -ValueName "NoDriveTypeAutoRun" -Type DWord -Value 255

# Enable LAPS
Set-GPRegistryValue -Name $GPO `
    -Key "HKLM\Software\Policies\Microsoft Services\AdmPwd" `
    -ValueName "AdmPwdEnabled" -Type DWord -Value 1

3. Software Deployment GPO

# Deploy MSI package
$GPO = "Software-Deployment"

# Copy MSI to NETLOGON
Copy-Item "C:\Software\App.msi" "\\company.com\NETLOGON\Software\"

# Add package to GPO (GUI required for this)
# Or use msiexec in startup script:
$script = @'
msiexec.exe /i "\\company.com\NETLOGON\Software\App.msi" /qn /norestart
'@

Set-GPRegistryValue -Name $GPO `
    -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" `
    -ValueName "InstallApp" -Type String -Value $script

4. Drive Mapping GPO

# Create drive mapping preference
$GPO = "User-Drive-Mappings"

# This requires Group Policy Preferences
# Example: Map H: drive to \\fileserver\home\%username%
# Configured via GPMC GUI or PowerShell:

$xml = @"
<?xml version="1.0" encoding="utf-8"?>
<Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}">
  <Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="H:" status="H:" image="2">
    <Properties action="U" thisDrive="SHOW" allDrives="NOCHANGE" userName="" 
                path="\\fileserver\home\%username%" label="" persistent="1" useLetter="1" letter="H"/>
  </Drive>
</Drives>
"@

# Save to GPO preferences directory
$gpoPath = "\\company.com\SYSVOL\company.com\Policies\{GPO-GUID}\User\Preferences\Drives"
$xml | Out-File "$gpoPath\Drives.xml" -Encoding UTF8

GPO Filtering and Targeting

Security Filtering

# Remove Authenticated Users (default)
Set-GPPermission -Name "IT-Admin-Tools" `
    -TargetName "Authenticated Users" `
    -TargetType Group `
    -PermissionLevel None

# Add specific group
Set-GPPermission -Name "IT-Admin-Tools" `
    -TargetName "IT-Admins" `
    -TargetType Group `
    -PermissionLevel GpoApply

WMI Filtering

# Create WMI filter for laptops only
$wmiFilter = @"
SELECT * FROM Win32_Battery
"@

# Create filter
$filter = New-GPO -Name "Laptop-WMI-Filter"
Set-GPWmiFilter -Name "Laptop-Filter" -Expression $wmiFilter

# Apply WMI filter to GPO
$gpo = Get-GPO -Name "Laptop-Power-Settings"
$gpo.WmiFilter = Get-GPWmiFilter -Name "Laptop-Filter"

# Example WMI filters I use:
# Laptops: SELECT * FROM Win32_Battery
# Specific OS: SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.%"
# Domain Controllers: SELECT * FROM Win32_ComputerSystem WHERE DomainRole = 5
# Workstations: SELECT * FROM Win32_ComputerSystem WHERE DomainRole = 1

Item-Level Targeting (Preferences)

More granular than WMI filtering:

<!-- Example: Apply only if user is member of Finance group -->
<Filters>
  <FilterGroup bool="AND" not="0" name="Finance Users">
    <FilterMembership bool="AND" not="0" group="COMPANY\Finance-Users" />
  </FilterGroup>
</Filters>

<!-- Apply only on Windows 10/11 -->
<Filters>
  <FilterGroup bool="AND" not="0" name="Windows 10+">
    <FilterOS bool="AND" not="0" class="OperatingSystem" version="10.0.*" />
  </FilterGroup>
</Filters>

GPO Troubleshooting

Check Applied GPOs

# On client computer
gpresult /R

# Detailed HTML report
gpresult /H C:\GPReport.html

# Remote computer
gpresult /S COMPUTER01 /U COMPANY\administrator /P * /H C:\GPReport-COMPUTER01.html

# PowerShell method
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\GPReport.html

Force GPO Update

# Update computer policies
gpupdate /force

# Update only computer configuration
gpupdate /target:computer /force

# Update only user configuration
gpupdate /target:user /force

# Remote update
Invoke-GPUpdate -Computer "COMPUTER01" -Force

# Update all computers in OU
Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=company,DC=com" | 
    ForEach-Object {Invoke-GPUpdate -Computer $_.Name -Force}

GPO Processing Logs

# Enable GPO logging
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics" `
    /v GPSvcDebugLevel /t REG_DWORD /d 0x00030002 /f

# View logs
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" -MaxEvents 50

# GPO event IDs I monitor:
# 4016 - Starting computer policy processing
# 4017 - Finished computer policy processing
# 5016 - Starting user policy processing
# 5017 - Finished user policy processing
# 1502 - GPO processing errors

Check GPO Replication

# Compare SYSVOL version with AD version
dcdiag /test:frssysvol
dcdiag /test:sysvolcheck

# Force replication
repadmin /syncall /AdeP

# Check Group Policy versions
Get-GPO -All | ForEach-Object {
    [PSCustomObject]@{
        Name = $_.DisplayName
        Computer Version = $_.Computer.DSVersion
        User Version = $_.User.DSVersion
        Modified = $_.ModificationTime
    }
} | Format-Table

GPO Backup and Restore

# Backup all GPOs
$backupPath = "C:\GPO-Backups\$(Get-Date -Format 'yyyy-MM-dd')"
Backup-GPO -All -Path $backupPath

# Backup specific GPO
Backup-GPO -Name "Security-Baseline" -Path $backupPath

# Restore GPO
Restore-GPO -Name "Security-Baseline" -Path $backupPath

# Import GPO to new GPO
$backup = Get-GPOBackup -Path $backupPath -Name "Security-Baseline" | 
    Sort-Object BackupTime | Select-Object -Last 1
Import-GPO -BackupId $backup.Id -TargetName "New-Security-Baseline" -Path $backupPath

GPO Reporting

# Generate HTML report for GPO
Get-GPOReport -Name "Security-Baseline" -ReportType Html -Path "C:\Reports\Security-Baseline.html"

# All GPOs report
Get-GPOReport -All -ReportType Html -Path "C:\Reports\All-GPOs.html"

# XML report for processing
Get-GPOReport -Name "Security-Baseline" -ReportType Xml -Path "C:\Reports\Security-Baseline.xml"

# Custom report showing links
Get-GPO -All | ForEach-Object {
    $gpo = $_
    $links = (Get-GPOReport -Guid $gpo.Id -ReportType Xml | 
        Select-Xml -XPath "//LinksTo").Node.SOMPath
    
    [PSCustomObject]@{
        GPOName = $gpo.DisplayName
        Links = $links -join "; "
        Modified = $gpo.ModificationTime
        ComputerVersion = $gpo.Computer.DSVersion
        UserVersion = $gpo.User.DSVersion
    }
} | Export-Csv "C:\Reports\GPO-Links.csv" -NoTypeInformation

Real-World Scenarios

Scenario 1: Deploying Administrative Tools

# Create GPO for IT administrators
$gpoName = "IT-Administrative-Tools"
New-GPO -Name $gpoName

# Link to IT OU
New-GPLink -Name $gpoName -Target "OU=IT,OU=Users,DC=company,DC=com"

# Configure security filtering (only IT-Admins group)
Set-GPPermission -Name $gpoName -TargetName "Authenticated Users" `
    -PermissionLevel None
Set-GPPermission -Name $gpoName -TargetName "IT-Admins" `
    -PermissionLevel GpoApply

# Install RSAT tools via GPO
# Add registry keys for RSAT installation
Set-GPRegistryValue -Name $gpoName `
    -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" `
    -ValueName "InstallRSAT" -Type String `
    -Value "powershell.exe -Command `"Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0`""

Scenario 2: Desktop Lockdown for Kiosk Computers

$gpoName = "Kiosk-Lockdown"
New-GPO -Name $gpoName
New-GPLink -Name $gpoName -Target "OU=Kiosks,OU=Computers,DC=company,DC=com"

# Remove access to Control Panel
Set-GPRegistryValue -Name $gpoName `
    -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
    -ValueName "NoControlPanel" -Type DWord -Value 1

# Remove Run command
Set-GPRegistryValue -Name $gpoName `
    -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
    -ValueName "NoRun" -Type DWord -Value 1

# Disable Task Manager
Set-GPRegistryValue -Name $gpoName `
    -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
    -ValueName "DisableTaskMgr" -Type DWord -Value 1

# Force specific wallpaper
Set-GPRegistryValue -Name $gpoName `
    -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
    -ValueName "Wallpaper" -Type String -Value "\\fileserver\wallpapers\kiosk.jpg"

Scenario 3: Time-Based Access Control

# Create gMSA for scheduled task
New-ADServiceAccount -Name "svc-NightlyBackup" `
    -DNSHostName "svc-NightlyBackup.company.com" `
    -PrincipalsAllowedToRetrieveManagedPassword "BackupServers"

# Create GPO to configure scheduled task
$gpoName = "Backup-Schedule"
New-GPO -Name $gpoName
New-GPLink -Name $gpoName -Target "OU=Servers,DC=company,DC=com"

# Configure scheduled task via GPO
# (Requires GPP Scheduled Tasks - configured in GUI or XML)

# Verify time sync for accurate scheduling
Set-GPRegistryValue -Name $gpoName `
    -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\DateTime\Servers" `
    -ValueName "1" -Type String -Value "time.windows.com"

Best Practices Summary

Groups

Use AGDLP strategy for resource access
Limit nesting to 3 levels maximum
Name groups consistently (Department-Function-Access)
Document group purpose in description field
Regular cleanup of empty/unused groups

Service Accounts

Prefer gMSA over standard accounts
Never use for interactive logon
Apply least privilege rigorously
Separate OU for service accounts
Audit regularly for excessive permissions

Group Policy

Test in dev/test environment first
Use descriptive names and comments
Backup before modifications
Link to OUs, not to domain (except security policies)
Minimize enforced GPOs
Regular GPO cleanup - remove unused policies
Document purpose of each GPO
Use security filtering appropriately
Monitor GPO processing in event logs
Version control GPO backups

Conclusion

Mastering AD Groups, Service Accounts, and Group Policy transforms AD from a simple directory to a powerful management platform. In my deployments, proper use of these components has:

Reduced password-related security incidents by 80%
Decreased help desk tickets through automated configuration
Enabled rapid deployment of security patches and software
Provided granular access control without administrative overhead

In the next article, we'll dive into Active Directory Federation Services (ADFS) for enterprise single sign-on.

hashtagThe Day I Learned About Proper Group Strategy

hashtagActive Directory Groups: The Foundation of Access Control

hashtagGroup Types

hashtagSecurity Groups

hashtagDistribution Groups

hashtagGroup Scopes: Understanding the Differences

hashtagDomain Local Groups

hashtagGlobal Groups

hashtagUniversal Groups

hashtagThe AGDLP Strategy (My Standard Approach)

hashtagReal-World AGDLP Example

hashtagGroup Nesting Best Practices

hashtagGroup Management Scripts

hashtagService Accounts: The Right Way

hashtagTypes of Service Accounts I Use

hashtag1. Standard Domain User Accounts (Legacy Method)

hashtag2. Managed Service Accounts (MSA)

hashtag3. Group Managed Service Accounts (gMSA) – My Preferred Method

hashtagCreating gMSA Step-by-Step

hashtagService Account Best Practices

hashtagMigrating from Standard to gMSA

hashtagGroup Policy Objects (GPO): Centralized Configuration Management

hashtagGPO Architecture

hashtagGPO Processing Order (LSDOU)

hashtagCreating and Linking GPOs

hashtagGPO Structure: Computer vs User Configuration

hashtagCommon GPOs I Deploy

hashtag1. Security Baseline GPO

hashtag2. Workstation Hardening GPO

hashtag3. Software Deployment GPO

hashtag4. Drive Mapping GPO

hashtagGPO Filtering and Targeting

hashtagSecurity Filtering

hashtagWMI Filtering

hashtagItem-Level Targeting (Preferences)

hashtagGPO Troubleshooting

hashtagCheck Applied GPOs

hashtagForce GPO Update

hashtagGPO Processing Logs

hashtagCheck GPO Replication

hashtagGPO Backup and Restore

hashtagGPO Reporting

hashtagReal-World Scenarios

hashtagScenario 1: Deploying Administrative Tools

hashtagScenario 2: Desktop Lockdown for Kiosk Computers

hashtagScenario 3: Time-Based Access Control

hashtagBest Practices Summary

hashtagGroups

hashtagService Accounts

hashtagGroup Policy

hashtagConclusion

hashtagFurther Reading