Working with Windows Server groups

In the Windows Server 2008 world groups are used to contain objects (user accounts, machine accounts etc) and allow for easier management of these objects. These groups become particular useful with managing access to network resources like file shares.

Active Directory Group Scopes

There are three different scopes of groups within Windows Server 2008 and each scope can nest groups differently. Which group you utilise depends on your requirements and how you will like the group to be used, but in general universal groups are more commonly used.

Domain local groups

Domain local groups can be created only on a domain controller, so ordinary client computers or member servers of a domain cannot host domain local groups. Domain local groups can be put inside machine local groups within the same domain (this is a process called nesting). They can contain global groups from a domain that trusts the current domain and other domain local groups from the same domain.

Domain global groups

Like domain local groups, domain global groups can be created only on a domain controller, but domain global groups can be put into any local group of any machine that is a member of the current domain or a trusted domain. Domain global groups can also be nested in other global groups; however, all nested domain global groups must be from the same domain. Domain global groups are great tools that contain all the functionality of domain local groups, and more, and they are the most common type of group used across a domain.

Universal groups

Universal groups are a sort of “do-it-all” type of group. Universal groups can contain global and universal groups, and those nested groups can be from any domain in your AD DS forest.

Group Types

There are two types of groups available in Active Directory-

Security Groups

A security group is used to delegate permissions to network resources.
A security group can be manually ‘mail-enabled’ to allow it to be used as an email distribution list.

Distribution Groups

A distribution group is used to distribute emails to a group of users, it can only be used for this purpose. A distribution group can not be used to delegate permissions or access to services.