Managing Groups in Active Directory

AD is designed to support large, distributed environments which includes seven types of groups

  • 2 types of domain groups with three scopes each (domain local, global and universal)
  • Local security groups

Groups are security principals with a security identifier (SID) that, through their member attribute, collect other security principals (users, computers, contacts and other groups) to facilitate management especially by categorize peoples into groups based on group of interest, department, projects and etc

Creating Group

  1. Open Active Directory Users and Computers snap-in,
  2. Right click the OU in which wanted to create a group
  3. Choose New, and select Group

Understanding Group Types

There are 2 types of groups: security and distribution. When a group is creating, there will occur in the selection of group in New Object – Group dialog box

Distribution Groups

  • Primarily used by email applications.
  • Due to these groups are not security enabled; they do not have SIDs,      so they cannot be given permissions to resources
  • Sending a message to a distribution group sends the message to all      members of the group

Security groups

  • Are security principals with SIDs.
  • Can be used as permission entries in ACLs to control security for      resource access
  • Can also be used as distribution groups by applications.

Because security groups can be used for both resource access and email distribution, many organizations use only security groups. Due to security reason, it is recommended that if a group will be used only for email distribution, the group should be created as a distribution group

Group Scope Members from the same domain Members from another domain in the same forest Members from a trusted external domain Group can be assigned permission in
Universal Users

Computers

Global groups

Universal groups

Users

Computers

Global groups

Universal groups

N/A Any domain or forest, including trusting external   domain
Global Users

Computers

Global groups

N/A N/A Member permissions can be assigned in any domain
Domain Local Users

Computers

Global groups

Domain local groups

Universal groups

Users

Computers

Global groups

Universal groups

Users

Computers

Global groups

Member permissions can be assigned only within the   same domain as the parent domain local group
Advertisements
This entry was posted in Windows Server. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s