A group is used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with groups instead of individual user accounts helps simplify network maintenance and administration. For instance, through groups the users receive all the user rights assigned to the group and all the permissions assigned to the group on any shared resources.
Like user accounts, there are both local and domain groups.
- Local groups exist only on the local computer, and control access to local resources.
- Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.
Active Directory groups have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.
|Group scope||Membership||Resource Access|
|Global||Global groups can contain members within the same domain. These include:
Use global groups to group users and computers within the domain who have similar access needs.
|Global groups can be assigned permissions to resources anywhere in the forest.
Create global groups to organize users (e.g., Sales or Development).
|Domain Local||Domain local groups can contain members from any domain in the forest. These include:
||Domain local groups can be assigned permissions within a domain.
Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.
|Universal||Universal groups can contain members from any domain in the forest. These include:
||Universal groups can be assigned permissions to resources anywhere in the forest.
Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups.
In addition to the group scope, there are two types of groups:
|Security||A security group is one that can be used to manage rights and permissions.
|Distribution||A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions.|
Be aware of the following when managing groups:
- The basic best practices for user and group security are:
- Create groups based on user access needs.
- Assign user accounts to the appropriate groups.
- Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network.
- After creating a group, you may need to convert the group’s scope and/or type.
- Converting a security group to a distribution group removes permissions assigned to the group. This could prevent or allow unwanted access.
- You cannot directly convert a group from global to domain local or domain local to global. Instead, convert the group to a universal group and apply the changes, then convert the group to the desired scope.
- If a global group is nested in another global group, the nested global group cannot be converted to a universal group because a universal group cannot be a member of a global group.
- To add or remove members of a group, use one of the following methods:
- On the group object, edit the Members tab and add the group members. Use this method to efficiently add multiple members to the same group.
- On the user account, edit the Members Of tab and select the group to which you want to add the user. The Member Of tab displays all of groups to which the object is a member. Use this method to efficiently add a single user to multiple groups.
Because a group can be a member of another group, a group object also has a Member Of tab. Adding objects to the Member Of tab for a group makes the group a member of another group (it does not add members to the group).
- When you delete a group, all information about the group (including any permissions assigned to the group) is deleted. User accounts, however, are not deleted. They are simply no longer associated with the group. If you delete the group, use one of the following strategies to recover it:
- Re-create the group, add all the original group members, and reassign any permissions granted to the group.
- Restore the group from a recent backup.