Security groups are what most people think of when discussing groups. A security group is a collection of users who have specific rights and permissions to resources. Rather than giving rights to perform certain tasks to individual users, and then setting permissions as to what resources that user can access, the rights and permissions are applied to the group. Any users who are members of the group then acquire this same level of security access. In doing so, collections of users are handled as a single unit, rather than as individuals.
Although both can be applied to a group account, rights and permissions are different from one another. Rights are assigned to users and groups, and control the actions a user or member of a group can take. For example, a member of the Backup Operator's group has the ability to back up and restore data, while a member of the Administrators group has the ability to perform almost any action. As we'll see later in this chapter, there are a number of security groups to which users can be added, and each of these groups provides differing levels of access. In Windows Server 2003, rights are also sometimes called privileges .You might have noticed this earlier when viewing the output of the command WHOAMI /ALL.
Permissions are used to control access to resources. When permissions are assigned to a group, it determines what the members of the group can do with a particular resource. For example, one group might only be given Read permissions to a file (so they can view but not modify it), while another group might be given Full Control (allowing them to do anything to the file). Through permissions, you can control the level of access a user or group receives to a shared resource.
Security groups are able to obtain such access because they are given a SID when the group account is first created. Because it has a SID, it can be part of a DACL, which lists the permissions users and groups have to a resource. When the user logs on, an access token is created that includes their SID and those of any groups of which they're a part.When they try to access a resource, this access token is compared to the DACL to see what permissions should be given to the user. It is through this process and the use of groups that the user obtains more (and in some cases, less) access than has been explicitly given to his or her account.
Another benefit of a security group is that you can send e-mail to it. When e-mail is sent to a group, every member of the group receives the e-mail. In doing so, this saves having to send an e-mail message to each individual user.
While security groups are used for access control, distribution groups are used for sharing information. This type of group has nothing to do with security. It is used for distributing e-mail messages to groups of users. Rather than sending the same message to one user after another, distribution groups allow applications such as Microsoft Exchange to send e-mails to collections of users.
The reason why distribution groups can't be used for security purposes is because they can't be listed in DACLs. When a new distribution group is created, it isn't given a SID, preventing it from being listed in the DACL. Although users who are members of different security groups can be added to a distribution group, it has no effect on the permissions and rights associated with their accounts.
Was this article helpful?