Logo

Group Types

This video looks at the different group types available in Active Directory. These include Local, Domain Local, Global, and Universal. The video also covers membership requirements which can be used in each of the different groups and converting between different groups. Finally, this video looks at distribution vs security groups.

Show lesson content

Demonstration 14:35

Distribution Group
Any group in Active Directory can be created as either a distribution group or a security group. Distribution groups do not have a SID (Security Identifier) associated with them. For this reason distribution groups can’t be used for security. That is, a distribution group cannot be used to assign permissions to files or objects. Distribution groups are mainly used with e-mail programs like Exchange to send e-mails to groups of people. Since there is no SID associated with the group, when you make a user a member of a distribution group, this does not affect the size of the security token for that user. A security token is created when the user logs in and contains their SID and any SID’s for any security groups of which they are a member.

Security Group
A security group has a SID and thus can be used for assigning permissions to files or objects. A security group can also be used as a distribution group in e-mail software like Exchange. Thus, the difference between a security group and a distribution group is simply that a security group is security enabled whereas a distribution group is not. If you are not sure which group to create, create a security group since it can do everything a distribution group can do and can also be used in security related operations.

Local Group
Local groups exist only on the computer on which they were created. A local group can have as a member any user or computer account as well as any other type of valid group.

Domain Local Group
Domain Local groups can only be used in the domain in which they were created. A Domain Local group allows membership from any other group as well as any user or computer. Domain Local groups from other domains cannot be used as members because they are limited in their use outside of the domain in which they were created. Universal groups can only be used as members when the Universal group exists in the same forest as the Domain Local group.

Global Group
Global groups have the most restrictive membership requirements, only allowing users, computers, and other Global groups from the same domain to be used as members. However, Global groups can be used as members of any other group, including other forest and external domains. This means a Global group has the most restrictive membership requirements of all the groups but is the most flexible when being used as members of other groups.

Universal Group
The Universal group is replicated via the global catalog server. For this reason, it is available to any domain in the forest but not to other forests or external domains. Since the Universal group is available forest wide, it does not allow Domain Local groups to be members even when the Universal group has been created in the same domain as the Domain Local group.

Summary of Groups’ Membership
1) Users and computers can go into any group in any domain and any forest or external domain if the group supports it.

2) Local and Domain Local groups allow the same membership requirements.

3) Universal, Domain Local and Local groups have the least strict membership requirements allowing any valid group with appropriate scope to be a member.

4) Global groups can contain only users, computers and other Global groups from the same domain only.

5) Global groups can be used everywhere, any domain, forest or external domain.

6) Universal groups are available only in the same forest since they are replicated using the global catalog. Since they are forest wide, Domain Local groups can’t be members since the Domain Local scope is limited to the domain in which they were created.

Converting Between Groups
At any time, a group can be converted from one group to another. If a group is changed from a security to a distribution group, this will disable any permissions that were assigned using that group. Permissions can allow or deny a user from accessing a resource and thus changing a group from security to distribution can allow or deny a user access to a resource. Changing a group from a distribution to a security group simply allows that group to be used with security.

Changing a group from Domain Local, Global, or Universal to any other type of group is supported. If you attempt to change a Domain Local to a Global group or vice versa this will fail. In order to achieve this, you need to change the group to a Universal group first. As long as the group meets the membership requirements for the new group, it will be converted. When changing group scopes, consider what would happen if the group was being used on a resource outside the domain. A change to the group scope could make that group no longer valid in that domain and security will no longer be applied in that domain using that group.

Demonstration
To create new groups in Active Directory, run “Active Directory Users and Computers” and right click on the OU that you want to create the group in and select new group.

To add a user, computer or another group to a group, right click the object that you want to add to the group and select add to group and then enter in the group that you want to add the object to.

To change a group to a different type, right click the group and open the properties. On the “General” tab select which group type and scope that you want and press o.k. If there is a problem changing the group, Windows will display an error message.

To check membership of a group, open the properties of the group and select the “Members” tab. You can also see which other groups have this group as a member by selecting the tab, “Members of.” This will only show groups used in the same domain or Universal group since Universal groups’ membership can be obtained using the global catalog server.

At any time a group can be renamed by right clicking on it and selecting rename. There is also an option for pre-Windows 2000 name. It is a good idea to make sure this name, where possible, is the same as the group name.

References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 145-152
“Active Directory Users, Computers, and Groups“ http://technet.microsoft.com/en-us/library/bb727067.aspx

Credits

Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Maintaining Active Directory Objects

Active Directory is a system which offers centralized control of your computers.

Modules

Active Directory Infrastructure

Lessons

Group Policy

Lessons