AD Groups, Service Accounts & GPO

Last updated: January 13, 2026

📚 Reference: This guide aligns with Group Policy Overviewarrow-up-right and Group Managed Service Accountsarrow-up-right

The Day I Learned About Proper Group Strategy

Early in my career, I inherited an environment where every user was a member of Domain Admins "temporarily" – some for over three years. When I asked why, the response was "it's easier than figuring out permissions."

That audit failure waiting to happen taught me the importance of proper group strategy, service account management, and Group Policy design. This article shares what I've learned managing these critical AD components across hundreds of deployments.

Active Directory Groups: The Foundation of Access Control

Groups are the workhorses of Active Directory permissions. Every well-designed AD environment I've built relies on strategic group usage.

Group Types

AD has two fundamental group types:

Security Groups

Used for assigning permissions to resources.

# Create security group
New-ADGroup -Name "Finance-FullAccess" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Security Groups,OU=Groups,DC=company,DC=com" `
    -Description "Full access to Finance file shares"

Distribution Groups

Used for email distribution (Exchange, Microsoft 365).

Group Scopes: Understanding the Differences

This is where I see most administrators get confused.

Domain Local Groups

  • Scope: Can contain members from any domain in the forest

  • Use: Assign permissions to resources in the same domain

  • My Use Case: Resource access groups

Global Groups

  • Scope: Can only contain members from the same domain

  • Use: Organize users by role or department

  • My Use Case: User organization groups

Universal Groups

  • Scope: Can contain members from any domain

  • Use: Cross-domain group membership

  • My Use Case: Multi-domain environments

The AGDLP Strategy (My Standard Approach)

Accounts → Global groups → Domain Local groups → Permissions

spinner

Real-World AGDLP Example

Group Nesting Best Practices

Avoid deep nesting (I limit to 3 levels):

Group Management Scripts

Service Accounts: The Right Way

Service accounts are some of the most critical and often poorly managed objects in AD.

Types of Service Accounts I Use

1. Standard Domain User Accounts (Legacy Method)

Problems with this approach:

  • Manual password management

  • Password never expires = security risk

  • Shared credentials risk exposure

2. Managed Service Accounts (MSA)

Introduced in Windows Server 2008 R2 – automatic password management for single server.

Limitation: Only works on single computer

3. Group Managed Service Accounts (gMSA) – My Preferred Method

Can be used across multiple servers with automatic password rotation.

spinner

Creating gMSA Step-by-Step

Service Account Best Practices

From my deployments:

  1. Naming Convention

  1. Dedicated OU Structure

  1. Least Privilege

  1. Regular Auditing

Migrating from Standard to gMSA

Group Policy Objects (GPO): Centralized Configuration Management

GPOs are how I enforce configurations across thousands of computers without touching each one.

GPO Architecture

spinner

GPO Processing Order (LSDOU)

GPOs apply in this order (later policies win in case of conflict):

  1. Local Computer Policy

  2. Site-level GPOs

  3. Domain-level GPOs

  4. OU-level GPOs (parent to child)

spinner

Creating and Linking GPOs

GPO Structure: Computer vs User Configuration

Common GPOs I Deploy

1. Security Baseline GPO

2. Workstation Hardening GPO

3. Software Deployment GPO

4. Drive Mapping GPO

GPO Filtering and Targeting

Security Filtering

WMI Filtering

Item-Level Targeting (Preferences)

More granular than WMI filtering:

GPO Troubleshooting

Check Applied GPOs

Force GPO Update

GPO Processing Logs

Check GPO Replication

GPO Backup and Restore

GPO Reporting

Real-World Scenarios

Scenario 1: Deploying Administrative Tools

Scenario 2: Desktop Lockdown for Kiosk Computers

Scenario 3: Time-Based Access Control

Best Practices Summary

Groups

  1. Use AGDLP strategy for resource access

  2. Limit nesting to 3 levels maximum

  3. Name groups consistently (Department-Function-Access)

  4. Document group purpose in description field

  5. Regular cleanup of empty/unused groups

Service Accounts

  1. Prefer gMSA over standard accounts

  2. Never use for interactive logon

  3. Apply least privilege rigorously

  4. Separate OU for service accounts

  5. Audit regularly for excessive permissions

Group Policy

  1. Test in dev/test environment first

  2. Use descriptive names and comments

  3. Backup before modifications

  4. Link to OUs, not to domain (except security policies)

  5. Minimize enforced GPOs

  6. Regular GPO cleanup - remove unused policies

  7. Document purpose of each GPO

  8. Use security filtering appropriately

  9. Monitor GPO processing in event logs

  10. Version control GPO backups

Conclusion

Mastering AD Groups, Service Accounts, and Group Policy transforms AD from a simple directory to a powerful management platform. In my deployments, proper use of these components has:

  • Reduced password-related security incidents by 80%

  • Decreased help desk tickets through automated configuration

  • Enabled rapid deployment of security patches and software

  • Provided granular access control without administrative overhead

In the next article, we'll dive into Active Directory Federation Services (ADFS) for enterprise single sign-on.


Further Reading

Ready to implement federated identity with ADFS? Continue to the next article! →

Last updated