Active Directory: Groups

It’s been a while since I wrote my last post and before I start my next post I would like to wish everyone a happy new year (I know its lateSad smile)!

Groups in Active Directory are very useful to us administrators. First of all why do we need groups in Active Directory? If you think about it its just to manage your entire active directory environment more easily and to make your life easier.

When you look at how groups are going to make your life easier, imagine this, you have a network resource to which you need to restrict/grant access to everyone in the sales Organizational Unit (OU). If you don’t use groups, then you will add the Users one by one to the resources Discretionary Access Control List (DACL). Lets say another sales person was hired you will have to add him manually to the DACL. Instead you create a Group in your AD and make all the sales users member of that group and assign the permission to that group. That’s more effective and when a new sales person joins just make him a member of that group. 

So what are these groups that we are talking about? Groups are also an Object in Active Directory, like User Accounts, Computer Accounts, Organizational Units, etc. groups are also similar objects which at times contains a Security Identifier (SID) and sometimes does not.

You can create groups in 2 ways,

  • by using the Active Directory users and computers snap-in
  • by using the DSadd command line tool

To create a group using the Active Directory users and computers, open the snap-in, right click inside an Organizational Unit and select New and then Group

To create a group named “sales” inside the default “users” container under a domain named “” using DSadd,                                                                                dsadd group cn=sales,cn=users,dc=cloud,dc=com

Either way you select, it works like a charmSmile

While creating a group you have to consider two main points,

  • Group Type
  • Group Scope

There are two Group Types

Security Group: You will be creating a Security Group to assign permissions to files and folders. Usually Security groups are the default selection when you are creating a new group. Security Groups will be a Security Principal which is assigned with a Security Identifier (SID). The SID will check the access level when ever a user who is a member of a security group tries to access a network resource (Using the User’s Access Tokens – Will Explain in another posts).

Distribution Group: This type of group cannot be called as a Security Principal as it will not be assigned with a SID hence a distribution group will only be used to send email messages to a group or a collection of users. To be more specific it’s a distribution list where Mail servers such as Exchange uses to send emails to a particular address such as in turn email will be delivered to every single email enabled user in that domain (who is a member of the everyone distribution group). Its not possible to list a Distribution Group inside an “ACL” and assign permissions to it.

This does not limit that a Security Group cannot be an email enabled group.

When you look at Group Scopes,

Local Groups: These are the groups which resides in the Security Accounts Manager (SAM) of a local computer. Built in groups such as Administrators, Backup Operators, Power Users, etc.    

Domain Local Group: Can be created in a domain environment and these groups can be used on anywhere in the DOMAIN

Universal Groups: Can be created in a domain environment and these groups can be used anywhere in a FOREST 

Global Groups: Can be created in a domain environment and these groups can be used anywhere in the DOMAIN or TRUSTED DOMAINS

Well I hope the above information was useful to you. Do leave your comments Smile

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s