Groups, Group Scopes and Group

Groups

A group is a collection of user and computer accounts, contacts and other groups that can be managed as a
single unit. Users and computers that belong to a particular group are referred to as group members.

Using groups can simplify administration by assigning a common set of permissions and rights to many
accounts at once, rather than assigning permissions and rights to each account individually.
Groups can be either directory-based or local to a particular computer. Groups in Active Directory are
directory objects that reside within a domain and organizational unit container objects. Active Directory
provides a set of default groups upon installation, and also allows the option to create groups.
Local groups, which exist on local computers and not in Active Directory,
Groups in Active Directory allow you to:

 Simplify administration by assigning permissions on a shared resource to a group, rather than to individual
users. This assigns the same access on the resource to all members of that group.
 Delegate administration by assigning user rights once to a group through Group Policy, and then adding
necessary members to the group that you want to have the same rights as the group.
 Create e-mail distribution lists..
Groups are characterized by their scope and their type. The scope of a group determines the extent to which
the group is applied within a domain or forest.The group type determines whether a group can be used to
assign permissions from a shared resource (for security groups) or if a group can be used for e-mail
distribution lists only (for distribution groups).
There are also groups for which you cannot modify or view the memberships. These groups are referred to as
special identities and are used to represent different users at different times, depending on the
circumstances. For example, the Everyone group represents all current network users, including guests and
users from other domains..
Group scope
Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the
extent to which the group is applied in the domain tree or forest. The boundary, or reach, of a group scope is
also determined by the domain functional level setting of the domain in which it resides. There are three
group scopes: universal, global, and domain local.

The following table describes the differences between the scopes of each group.

Group can be
Group Group can include as assigned Group scope can
scope members… permissions in… be converted to…

 Accounts from any domain

within the forest in which
this Universal Group
resides
 Global groups from any  Domain local
domain within the forest in  Global (as long
which this Universal Group as no other
resides universal
 Universal groups from any Any domain or groups exist as
Universal domain within the forest in forest members)
 which this Universal Group
resides

 Accounts from the same

domain as the parent global Universal (as long
group Member as it is not a
 Global groups from the permissions can be member of any
same domain as the parent assigned in any other global
Global global group domain groups)

 Accounts from any domain

 Global groups from any
domain Member
 Universal groups from any permissions can be
domain assigned only
 Domain local groups but within the same Universal (as long
only from the same domain domain as the as no other domain
Domain as the parent domain local parent domain local local groups exist
local group group as members)

When to use groups with domain local scope

Groups with domain local scope help you define and manage access to resources within a single domain. For
example, to give five users access to a particular printer, you can add all five user accounts in the printer
permissions list. If, however, you later want to give the five users access to a new printer, you must again
specify all five accounts in the permissions list for the new printer.

With a little planning, you can simplify this routine administrative task by creating a group with domain local
scope and assigning it permission to access the printer. Put the five user accounts in a group with global
scope, and then add this group to the group having domain local scope. When you want to give the five users
access to a new printer, assign the group with domain local scope permission to access the new printer. All
members of the group with global scope automatically receive access to the new printer.

When to use groups with global scope

Use groups with global scope to manage directory objects that require daily maintenance, such as user and
computer accounts. Because groups with global scope are not replicated outside their own domain, you can
change accounts in a group having global scope frequently without generating replication traffic to the global
catalog..
Although rights and permissions assignments are valid only within the domain in which they are assigned, by
applying groups with global scope uniformly across the appropriate domains, you can consolidate references
to accounts with similar purposes. This simplifies and rationalizes group management across domains. For
example, in a network with two domains, Europe and UnitedStates, if you have a group with global scope
called GLAccounting in the UnitedStates domain, create a group called GLAccounting in the Europe domain
(unless the accounting function does not exist in the Europe domain).

It is strongly recommended that you use global groups or universal groups instead of domain local groups
when you specify permissions on domain directory objects that are replicated to the global catalog

When to use groups with universal scope

Use groups with universal scope to consolidate groups that span domains. To do this, add the accounts to
groups with global scope, and then nest these groups within groups that have universal scope. When you use
this strategy, any membership changes in the groups that have global scope do not affect the groups with
universal scope.

For example, in a network with two domains, Europe and UnitedStates, and a group that has global scope
called GLAccounting in each domain, create a group with universal scope called UAccounting that has as its
members the two GLAccounting groups, UnitedStates\GLAccounting and Europe\GLAccounting. The
UAccounting group can then be used anywhere in the enterprise. Any changes in the membership of the
individual GLAccounting groups will not cause replication of the UAccounting group.

Do not change the membership of a group with universal scope frequently, because any changes to these
group memberships cause the entire membership of the group to be replicated to every global catalog in the
forest.

Changing group scope

When you create a new group, by default the new group is configured as a security group with global scope,
regardless of the current domain functional level. Although changing a group scope is not allowed in domains
with a domain functional level of Windows 2000 mixed, the following conversions are allowed in domains with
the domain functional level of Windows 2000 native or Windows Server 2003:

 Global to universal. This conversion is allowed only if the group that you want to change is not a member
of another global scope group.
 Domain local to universal. This conversion is allowed only if the group that you want to change does not
have another domain local group as a member.
 Universal to global. This conversion is allowed only if the group that you want to change does not have
another universal group as a member.
 Universal to domain local. There are no restrictions for this operation.
Group types

Groups are used to collect user accounts, computer accounts, and other group accounts into manageable
units. Working with groups instead of with individual users helps simplify network maintenance and
administration.

There are two types of groups in Active Directory: distribution groups and security groups. You can use
distribution groups to create e-mail distribution lists and security groups to assign permissions to shared
resources.

Distributions groups

Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections
of users. Distribution groups are not security-enabled, which means that they cannot be listed in discretionary
access control lists (DACLs). If you need a group for controlling access to shared resources, create a security
group.

Security groups
Used with care, security groups provide an efficient way to assign access to resources on your network.
Using security groups, you can:

 Assign user rights to security groups in Active Directory

User rights are assigned to security groups to determine what members of that group can do within the
scope of a domain (or forest). User rights are automatically assigned to some security groups at the time
Active Directory is installed to help administrators define a person’s administrative role in the domain. For
example, a user who is added to the Backup Operators group in Active Directory has the ability to backup
and restore files and directories located on each domain controller in the domain.

This is possible because by default, the user rights Back up files and directories and Restore files and
directories are automatically assigned to the Backup Operators group. Therefore, members of this group
inherit the user rights assigned to that group.. You can assign user rights to security groups, using Group
Policy, to help delegate specific tasks. You should always use discretion when assigning delegated tasks
because an untrained user assigned too many rights on a security group can potentially cause significant
harm to your network
 Assign permissions to security groups on resources
Permissions should not be confused with user rights. Permissions are assigned to the security group on
the shared resource. Permissions determine who can access the resource and the level of access, such
as Full Control. Some permissions set on domain objects are automatically assigned to allow various
levels of access to default security groups such as the Account Operators group or the Domain Admins
group..
Security groups are listed in DACLs that define permissions on resources and objects. When assigning
permissions for resources (file shares, printers, and so on), administrators should assign those
permissions to a security group rather than to individual users. The permissions are assigned once to the
group, instead of several times to each individual user. Each account added to a group receives the rights
assigned to that group in Active Directory and the permissions defined for that group at the resource.

Like distribution groups, security groups can also be used as an e-mail entity. Sending an e-mail message to
the group sends the message to all the members of the group.