Académique Documents
Professionnel Documents
Culture Documents
Groups
A group is a collection of user and computer accounts, contacts and other groups that can be managed as a
single unit. Users and computers that belong to a particular group are referred to as group members.
Using groups can simplify administration by assigning a common set of permissions and rights to many
accounts at once, rather than assigning permissions and rights to each account individually.
Groups can be either directory-based or local to a particular computer. Groups in Active Directory are
directory objects that reside within a domain and organizational unit container objects. Active Directory
provides a set of default groups upon installation, and also allows the option to create groups.
Local groups, which exist on local computers and not in Active Directory,
Groups in Active Directory allow you to:
Simplify administration by assigning permissions on a shared resource to a group, rather than to individual
users. This assigns the same access on the resource to all members of that group.
Delegate administration by assigning user rights once to a group through Group Policy, and then adding
necessary members to the group that you want to have the same rights as the group.
Create e-mail distribution lists..
Groups are characterized by their scope and their type. The scope of a group determines the extent to which
the group is applied within a domain or forest.The group type determines whether a group can be used to
assign permissions from a shared resource (for security groups) or if a group can be used for e-mail
distribution lists only (for distribution groups).
There are also groups for which you cannot modify or view the memberships. These groups are referred to as
special identities and are used to represent different users at different times, depending on the
circumstances. For example, the Everyone group represents all current network users, including guests and
users from other domains..
Group scope
Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the
extent to which the group is applied in the domain tree or forest. The boundary, or reach, of a group scope is
also determined by the domain functional level setting of the domain in which it resides. There are three
group scopes: universal, global, and domain local.
The following table describes the differences between the scopes of each group.
Group can be
Group Group can include as assigned Group scope can
scope members… permissions in… be converted to…
With a little planning, you can simplify this routine administrative task by creating a group with domain local
scope and assigning it permission to access the printer. Put the five user accounts in a group with global
scope, and then add this group to the group having domain local scope. When you want to give the five users
access to a new printer, assign the group with domain local scope permission to access the new printer. All
members of the group with global scope automatically receive access to the new printer.
It is strongly recommended that you use global groups or universal groups instead of domain local groups
when you specify permissions on domain directory objects that are replicated to the global catalog
For example, in a network with two domains, Europe and UnitedStates, and a group that has global scope
called GLAccounting in each domain, create a group with universal scope called UAccounting that has as its
members the two GLAccounting groups, UnitedStates\GLAccounting and Europe\GLAccounting. The
UAccounting group can then be used anywhere in the enterprise. Any changes in the membership of the
individual GLAccounting groups will not cause replication of the UAccounting group.
Do not change the membership of a group with universal scope frequently, because any changes to these
group memberships cause the entire membership of the group to be replicated to every global catalog in the
forest.
Global to universal. This conversion is allowed only if the group that you want to change is not a member
of another global scope group.
Domain local to universal. This conversion is allowed only if the group that you want to change does not
have another domain local group as a member.
Universal to global. This conversion is allowed only if the group that you want to change does not have
another universal group as a member.
Universal to domain local. There are no restrictions for this operation.
Group types
Groups are used to collect user accounts, computer accounts, and other group accounts into manageable
units. Working with groups instead of with individual users helps simplify network maintenance and
administration.
There are two types of groups in Active Directory: distribution groups and security groups. You can use
distribution groups to create e-mail distribution lists and security groups to assign permissions to shared
resources.
Distributions groups
Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections
of users. Distribution groups are not security-enabled, which means that they cannot be listed in discretionary
access control lists (DACLs). If you need a group for controlling access to shared resources, create a security
group.
Security groups
Used with care, security groups provide an efficient way to assign access to resources on your network.
Using security groups, you can:
This is possible because by default, the user rights Back up files and directories and Restore files and
directories are automatically assigned to the Backup Operators group. Therefore, members of this group
inherit the user rights assigned to that group.. You can assign user rights to security groups, using Group
Policy, to help delegate specific tasks. You should always use discretion when assigning delegated tasks
because an untrained user assigned too many rights on a security group can potentially cause significant
harm to your network
Assign permissions to security groups on resources
Permissions should not be confused with user rights. Permissions are assigned to the security group on
the shared resource. Permissions determine who can access the resource and the level of access, such
as Full Control. Some permissions set on domain objects are automatically assigned to allow various
levels of access to default security groups such as the Account Operators group or the Domain Admins
group..
Security groups are listed in DACLs that define permissions on resources and objects. When assigning
permissions for resources (file shares, printers, and so on), administrators should assign those
permissions to a security group rather than to individual users. The permissions are assigned once to the
group, instead of several times to each individual user. Each account added to a group receives the rights
assigned to that group in Active Directory and the permissions defined for that group at the resource.
Like distribution groups, security groups can also be used as an e-mail entity. Sending an e-mail message to
the group sends the message to all the members of the group.