Get to Know Your Active Directory Groups
Microsoft Active Directory is a directory service that is used on Windows domains and comes included with the Windows Server operating system and has been around since Windows 2000. Active Directory uses the Lightweight Directory Access Protocol (LDAP) and is responsible keeping track of all the information on your Windows domain such as users, groups, computers, servers, printers and many other objects in its database. It allows administrators to manage all these objects and services from one central location rather than having to go from computer to computer to get things done. Many other programs can tie into Active Directory to manage user accounts and other objects as well.
Active Directory has several built in groups that you can use to assign users or computers to so they have the permissions they need to get their jobs done. You can also create your own groups and assign those groups various levels of access and permissions. For this article we are going to discuss the seven main groups in which there are two domain group types with three scope types in each one plus the local security group.
Domain Groups
The two Domain Groups consist of Security groups and Distribution groups and within these two groups we have three group scopes which will be discussed next. When creating a new Active Directory group you will need to choose between a Security and Distribution group as also choose the group scope.
Security Groups
Security groups contain users who have various assigned
permissions and access to specified resources such as shared folders, printers
and other objects. By using a security group, administrators don’t need to
assign these permissions on a user by user basis but rather create the group
with all the permissions assigned to the group and then add users to that group.
When a user is assigned to a security group then that user inherits all the
rights that go along with it. If a user is in more than one security group that
applies to the same object then the most restrictive rights out of all the
groups will take effect. So if User A has modify access to the Sales folder by
being in the Sales group but has read only access to the Sales folder by being
in the Marketing group then User A will have read only access to the Sales
folder as his effective permissions.
Distribution Groups
Distribution groups are used to send emails for
communication purposes. So rather than having to send the same email to 20 sales
people for example, if those 20 people are all in the Sales distribution group
then you can send one email to the Sales distribution group and all 20 people in
that group will get the email. These types of groups are typically used when you
have your email configured on an email server such as Microsoft Exchange.
Group Scopes
When setting up a security or distribution group you will
also need to choose a scope for that group so Active Directory knows how to
assign the permissions to the resources that group is allowed to access. These
scopes will determine how far these permissions reach such as only in the local
domain or domain tree to across the entire Active Directory forest. There are
three types of group scopes that you can assign to a security or distribution
group.
Domain Local Group
This
group scope type is used to manage permissions and access levels to resources in
the domain in which the it was created. Domain local groups can contain global
groups, universal groups and user accounts form any domain in addition to its
local accounts. Permissions can be granted within the same domain only.
Global Group
These groups are used to hold user accounts and computer
accounts in the domain but they can also be used to provide access to resources
in another domain. It can contain user accounts and global groups from the same
domain as well as be a member of domain local and universal groups in any
domain. Permissions can be granted on any domain in the same forest as well as
trusting domains and forests.
Universal Group
Universal groups are used with large Active Directory
forests where you need to grant access and manage resources across multiple
domains. These groups can contain users and groups
from any domain in the forest. They can
also be members of domain local groups or other universal groups. They can’t be
members of global groups though. Permissions can be granted on any domain in the
same forest or a trusting forest.