Site icon REBELADMIN

Active Directory Groups

I am sure every on who uses active directory heard about the groups. Even in stand-alone pc you can see set of groups. But it is important to know how these groups are working and what each type of groups really do.

In windows server 2012 have two types of groups in place.

Distributed Group – This is non-security related group and purpose of it to distribute information to a group of resources. These can use by AD aware applications for example, Microsoft Exchange to distribute email.

Security Group – This is security related group for granting access permissions to group of users in to resources. For example this group can use to assign permissions to a network share.

Group Scope

Apart from the group types we can define the boundaries for the groups. We can use it to current domain or extend to use different domains as well.

There are 3 types of group scope levels.

Domain Local

This group can have any of the following resources assigned.

•    User Accounts
•    Computer Accounts
•    Universal Groups
•    Domain Local groups from the same domain
•    Global Groups from the forest

This limits the group scope in to the same domain.

Global Group

This group can have any of the followings resources,

•    User Accounts
•    Computer Accounts
•    Other global groups from same domain

Using this you can use the group to assign permission to any resources in the forest. It can be either same domain or different domains. But the group membership are only replicated to domain controllers in same domain.

Universal Group

This can have the following resources

•    User accounts
•    Computer accounts
•    Other universal groups
•    Global Groups

This can use with any domain in the forest and also can use between trusted sites. Universal groups are stored in global catalog servers. So any changes to group membership will replicate to all GC servers in the forest.

Nested Groups

This is one of the nice features we can use for permission delegation. You can make a group in to member of another group. For ex- if you create a group for IT department it can be a member of “All Staff” user group.

If you have any questions about the post feel free to contact me on rebeladm@live.com

Exit mobile version