What are Active Directory Groups?
Active Directory enables administrators to manage all objects and services from one centralized location rather than having to go from computer to computer to get things done. Many other programs can tie into Active Directory to manage user accounts and other objects as well. Active Directory has several built-in groups that you can use to assign users or computers to, so they have the permissions they need to get their jobs done. You can also create your own groups and assign those groups various levels of access and permissions.
Within Active Directory, a group is a method for collecting users, contacts, computers, and even other groups’ objects so that you can manage the objects in the group as a single unit. Objects that belong to a particular group are referred to as group members. Using groups can simplify administration by assigning a set of permissions to a group once, rather than assigning permissions and rights to each group member individually.
Exploring Types of Active Directory Groups
As we discussed above, Active Directory groups are a collection of Active Directory objects. The group can include users, computers, other groups, and other AD objects. The administrator manages the group as a single object. In Windows, there are 7 types of groups: two domain group types with three scopes in each and a local security group.
We were demonstrating how to manage the creation and automation of Active Directory security groups and distribution lists before we realized that we had no idea what the differences were between the types of Active Directory groups: security and distribution groups, and the group scopes: universal groups (UG), global groups (GG), and domain local groups (DLG).
With a little work, we dug out enough info for this cheat sheet on Active Directory groups:
The two Domain Groups consist of Security groups and Distribution groups and within these two groups we have three group scopes which will be discussed next. When creating a new Active Directory group, you will need to choose between a Security and Distribution group as also choose the group scope. You use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources.
Used with care, security groups provide an efficient way to assign access to resources on your network. Using security groups, you can:
- Assign user rights
- Assign permissions to resources
Security groups can also be used as a distribution group in Exchange. These are known as security-enabled distribution groups or mail-enabled security groups. Learn more about whether to mail enable a security group or not.
Distribution groups are designed to combine users together so that you can send e-mails (via Microsoft Exchange Server) collectively to a group rather than individually to each user in the group. Distribution groups are designed to be used for e-mail specifically and cannot be granted Windows permissions.The terms “distribution groups” and “distribution lists” tend to be used interchangeably, particularly if you work with Microsoft Exchange Server administrators. Don’t let this trip you up!
Read more: Distribution group or mail enabled security group?
When setting up a security or distribution group you will also need to choose a scope for that group so Active Directory knows how to assign the permissions to the resources that group is allowed to access. Groups, whether security groups or distribution groups, are defined by a definition that identifies the scope to which the group is applied in a domain or forest. There are three group scopes: universal, global, and domain local.
It can contain users and groups (global and universal) from any domain in the forest. Universal groups do not care about trust. Universal groups can be a member of domain local groups or other universal groups but NOT global groups.
It can contain users, computers, and groups from same domain but NOT universal groups. It can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.
Domain Local Group
It can contain users, computers, global groups, and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain. It can be a member of any domain local group in the same domain.The short answer is that domain local groups are the only groups that can have members from outside the forest. And use global groups if you have trust, universal groups if you don’t care about trust.There are also local groups. These groups are created in the local Security Accounts Administrator (SAM) database on the specific computer. The difference from domain groups: local groups work even if the domain controllers cannot be contacted.
Change of Scope or Type of Active Directory Groups
You can change the Active Directory Group’s Scope or Type, but there are several conditions. Find out in the image below.
Read more: Unleash the Power of Active Directory Groups
GroupID by Imanami offers a suite of solutions that empowers IT professionals to manage groups, users, and entitlements effectively and automatically. Learn more about the suite of solutions under GroupID here. Since, Security is the key elements for IT to follow best practice of Active Directory Groups management, Learn how Ransomware Attacks on Active Directory.