Get to Know Your Active Directory Groups
Microsoft Active Directory is a directory service that is used on Windows domains and comes included with the Windows Server operating system and has been around since Windows 2000. Active Directory uses the Lightweight Directory Access Protocol (LDAP) and is responsible keeping track of all the information on your Windows domain such as users, groups, computers, servers, printers and many other objects in its database. It allows administrators to manage all these objects and services from one central location rather than having to go from computer to computer to get things done. Many other programs can tie into Active Directory to manage user accounts and other objects as well.
Active Directory has several built in groups that you can use to assign users or computers to so they have the permissions they need to get their jobs done. You can also create your own groups and assign those groups various levels of access and permissions. For this article we are going to discuss the seven main groups in which there are two domain group types with three scope types in each one plus the local security group.
The two Domain Groups consist of Security groups and Distribution groups and within these two groups we have three group scopes which will be discussed next. When creating a new Active Directory group you will need to choose between a Security and Distribution group as also choose the group scope.
Security groups contain users who have various assigned permissions and access to specified resources such as shared folders, printers and other objects. By using a security group, administrators don’t need to assign these permissions on a user by user basis but rather create the group with all the permissions assigned to the group and then add users to that group. When a user is assigned to a security group then that user inherits all the rights that go along with it. If a user is in more than one security group that applies to the same object then the most restrictive rights out of all the groups will take effect. So if User A has modify access to the Sales folder by being in the Sales group but has read only access to the Sales folder by being in the Marketing group then User A will have read only access to the Sales folder as his effective permissions.
Distribution groups are used to send emails for communication purposes. So rather than having to send the same email to 20 sales people for example, if those 20 people are all in the Sales distribution group then you can send one email to the Sales distribution group and all 20 people in that group will get the email. These types of groups are typically used when you have your email configured on an email server such as Microsoft Exchange.
When setting up a security or distribution group you will also need to choose a scope for that group so Active Directory knows how to assign the permissions to the resources that group is allowed to access. These scopes will determine how far these permissions reach such as only in the local domain or domain tree to across the entire Active Directory forest. There are three types of group scopes that you can assign to a security or distribution group.
Domain Local Group
This group scope type is used to manage permissions and access levels to resources in the domain in which the it was created. Domain local groups can contain global groups, universal groups and user accounts form any domain in addition to its local accounts. Permissions can be granted within the same domain only.
These groups are used to hold user accounts and computer accounts in the domain but they can also be used to provide access to resources in another domain. It can contain user accounts and global groups from the same domain as well as be a member of domain local and universal groups in any domain. Permissions can be granted on any domain in the same forest as well as trusting domains and forests.
Universal groups are used with large Active Directory forests where you need to grant access and manage resources across multiple domains. These groups can contain users and groups from any domain in the forest. They can also be members of domain local groups or other universal groups. They can’t be members of global groups though. Permissions can be granted on any domain in the same forest or a trusting forest.