Tag Archives: gpo

Shadow Groups

Have you ever just wanted to assign permissions on a file or folder to an Active Directory (AD) Organizational Unit (OU)? Well that still isn’t possible but you can achieve the same effect with Shadow Groups (SG) and Restricted Groups (RG).

So here we go, FYI I am assuming you have an AD setup, an OU with users in it, and know how to get around in Active Directory Users and Computers (ADUC) and the Group Policy Management Console (GPMC).

Lets say you have an OU called StormTroopers and it has some user accounts in it. To make a shadow group for this OU is to open the OU and right click in some white space in the right hand pane of ADUC and create a new Security Group, Local/ Global/Universal, you pick one that is best for you.
I might have a post on the differences of each group type in the future so stay tuned.

Anyway back to my story. Name this new group the exact name of the OU, in our case StormTroopers, and now you have a Shadow Group … what a mysterious name for something that isn’t that hard.

Now all you need to do is adjust the Access Control List (ACL) of a file or folder to add the SG you just made.

Well that was fun and quite useful but what if you want to make sure the members of that SG stay the same even off someone adds to that SG on accident, ya we’ll say it was an accident.

In GPMC create a new GPO, name it what you will, and edit it. Drill down through Computer Configuration > Policies > Windows Settings > Security Settings to Restricted Groups. Right click in the white space in the right hand pane and select Add Group… Type in the SG or click Browse… to find it in AD. Under Members of this group: click Add… Type in the user names or click Browse… to find them in AD. Click OK or Apply all the way out of the group properties and close the GPO.

In GPMC right click on the OU that contains your Domain Controllers and click Link an Existing GPO…, find your newly created RG GPO and click OK. To implement this new GPO right away open cmd.exe and run gpupdate /force. Or you can just wait for GP to refresh on its own, default is 15 minutes. All you have to do now is assign your new SG some ACLs on a file or folder.