Did you find this useful?
Socialize it today.

Active Directory Group Types and Scopes

Friday, October 28, 2011

Groups are one of the most important tools an Active Directory (AD) administrator has in his/her toolbox. Groups are objects that can include users, computers, and even other groups as members. Windows Server 200x (2000, 2003, 2008 – at the time of this writing includes support for two types of groups: Distribution and Security. Distribution groups were introduced with AD 2000. They are used primary for email distribution lists. Distribution groups cannot be used for securing resources (ACLs cannot be applied to them). However, Security groups can be mail-enabled. It is important to properly plan for the use of groups prior to implementing your Active Directory infrastructure to ensure that it can be managed and scaled well. Groups are classified as one of three group scopes: Domain Local, Global, and Universal.

Domain Local Groups

Domain Local Groups are defined in the local domain and can be used to secure resources ONLY in the local domain. They can contain members from the same domain, forest, and members from trusted domains.

Global Groups

Global Groups are defined in the local domain and can be used to secure resources in the local domain, any domain in the forest, and in any of the trusting domains. They can contain members ONLY from the same domain.

Universal Groups

Universal Groups are used to primary grant access to resources in all trusted domains. They can also contain members from any domain in the forest.

To manage resources with the least administrative effort, it is important to follow one or more these best practices.

  • A --> G <-- P
  • A --> G --> DL <-- P
  • A --> G --> U --> DL <-- P

A: Accounts
G: Global Groups
DL: Domain Local Groups
For example, the concept for "A --> G --> DL <-- P" is as follows:

  • Add users to global groups.
  • Add global groups to domain local groups.
  • Apply permissions to domain local groups.

In this example, say that Bob is a member of the Sale team. Bob is added to the “Sales Team” global group. The Sale Team needs to access to a file share called “Data”. A domain local group called “Sales Data” is created and the global group called “Sales Team” is a member. The permission “READ” is applied to the “Sales Data” domain local group.

Now, Bob has retired and Sally is hired. Sally can be given the same access as Bob by simply adding her to the “Sales Team” global group.

The more resources and groups that are defined, the more effective this concept becomes.

Please help us spread the word by socializing it today!

email contact us

Did you find something wrong with the information on this page? Please take a moment to report it to us so that we can continue to improve the quality of the information on this site. Click here to report an issue with this page.

Recommended Books & Training Resources

MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647 Windows Server 2008 R2 Unleashed