Within the Active Directory a group is defined as a collection of user accounts, computer accounts, other group accounts, and contacts that can be managed as a single entity. Groups are used to simplify administration by allowing you to administer many accounts (through group membership) as opposed to manually administering individual user accounts.
In the following sections, you will learn about group scope and group type, default groups created on a Windows 2003 domain, how to create a new group, how to manage groups, and how to identify what groups a user belongs to.
On a Windows 2003 domain controller in the Active Directory, groups are characterized by group scope and group type.
Group scope is used to determine if the group is limited to a single domain or if the group can span multiple domains. Group scopes are used to assign permissions to resources. The three types of group scopes are:
Domain Local Groups Domain local groups are used to assign permissions to resources. Domain local groups can contain user accounts, universal groups, and global groups from any domain in the tree or forest. A domain local group can also contain other domain local groups from its own local domain. Microsoft recommends that global groups be added to domain local groups in a single domain environment and that universal groups are added to the domain local group in a multi-domain environment. User accounts should not be added to a domain local group.
Global Groups Global groups are used to organize users who have similar network access requirements. A global group is simply a container of users. Global groups can contain users and global groups (in native mode) from the local domain.
Universal Groups Universal groups are used to logically organize global groups and appear in the Global Catalog (a search engine that contains limited information about every object in the Active Directory). Universal groups can contain users (not recommended) from anywhere in the domain tree or forest, other universal groups, and global groups.
Group type is used to organize users, computers, and other groups into logical objects that are used for management purposes. There are two group types:
Security Group A security group is a logical group of users who need to access specific resources. Security groups are listed in Discretionary Access Control Lists (DACLs) to assign permissions to resources.
Distribution Group A distribution group is a logical group of users who have common characteristics. Applications and e-mail programs (for example, Microsoft Exchange) can use distribution groups. Distribution groups can't be listed in DACLs and therefore have no permissions. This allows these groups to execute at very high speed.
Was this article helpful?