Types of Groups
Security groups are used to control access to resources.
Security groups can also be used as email distribution lists.Distribution groups can be used only for email distribution lists, or simple administrative groupings.
Distribution groups cannot be used for access control because they are not “security enabled.”
Provide a simple ‘does everything’ group suitable mainly for small networks. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely. Changes in membership will impose global catalog replication throughout an entire enterprise.
Provide domain-centric membership, place all user accounts into Global groups. Global groups can be nested within other Global groups, this may be particularly useful when delegating OU administrative functionality.
It can be useful to give each Global group a name that is meaningful to the staff involved, i.e. matching the name of a Team or a Project, particularly if the group is also to be used as an email distribution list.
Domain Local groups
Used for the direct assignment of access permissions on files, printer queues, and other such resources.
It can be useful to give each Domain Local group a name that is meaningful to the IT Operations team e.g. if a group assigns rights to a shared folder on a specific server then the group name might include a prefix or suffix indicating the server name.
Stored on the local SAM (Local Computer) use for security settings that apply just to this one machine.
Local groups will work even if the network becomes unavailable, e.g. during a disaster recovery exercise.
Place users in Global groups, nest those inside Domain Local groups which in turn are used to apply permissions, as shown below. This will also maximise performance in a multi-domain forest.
Group membership is evaluated when a user logs on to a domain. To be sure that any membership changes have taken effect, ask the users to log-off. In contrast ACL changes or permissions applied directly to User accounts will take place immediately.
Granting permissions using a group from a different domain is only possible where a trust relationship exists between the domains.
Nesting one Group within another with a different scope
Rules that govern when a group may be added to another group (same domain):
– Global groups can be nested within Domain Local groups, Universal groups and within other Global groups in the same domain.
– Universal groups can be nested within Domain Local groups and within other Universal groups in any domain.
– A Domain Local group cannot be nested within a Global or a Universal group.
Rules that govern when a group may be added to another group (different domain):
– Domain Local groups can grant access to resources on the same domain. For example a Domain Local group named Sales on the raylin.local domain can only grant access to resources on that domain, and not on raylin.com– Domain Local groups can accept anything, except for Domain Local groups from another domain. Domain Local groups accept user accounts from any domain.- Global groups can grant access to anything, including files/folders in any domain.- Global groups cannot be nested across domains. You cannot take a Global group from raylin.local, and nest it within another Global group in raylin.com.- A user or computer account from one domain cannot be nested within a Global group in another domain- Universal groups accept user/computer accounts from any domain. A Global group can also be nested within a Universal group (from any domain).
A Universal group can be nested within another Universal group or Domain Local group in any domain.
Members – who can join a group:
|Group Scope||Location||Local Users can join?||Domain Users can join?||User accounts from another domain?||Local Computer accounts||Domain Computer accounts||Computer accounts from another domain||Machine Local groups||Domain Local groups||Global groups||Universal groups|
|Machine Local||Stored in local sam database||Yes||Yes||No||No||No||Yes||Yes||Yes|
|Domain Local||Stored in AD||No||Yes||Yes||No||Yes||Yes||No||Yes
|Global||Stored in AD||No||Yes||No||No||Yes||No||No||No||Yes
|Universal||Stored in AD||No||Yes||Yes||No||Yes||Yes||No||No||Yes||Yes|
|Group Scope||Location||Can act as distribution list?||File Permissions (local machine)||File Permissions Domain Fileserver||File/Printer SHARE permissions||Can be Mail enabled||Can use to assign Mailbox permissions||Permissions on Active Directory objects|
|Machine Local||Stored in local sam database||No||Yes||No||Yes
(same machine only)
|Domain Local||Stored in AD||Yes||Yes||Yes||Yes||Yes||Yes||Yes*|
|Global||Stored in AD||Yes||Yes||Yes*||Yes*||Yes||Yes||Yes|
|Universal||Stored in AD||Yes||Yes||Yes*||Yes*||Yes||Yes||Yes|
* Possible but not recommended by Microsoft.
To modify groups in AD, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group, or you must have been delegated the appropriate authority.