Active Directory, Chapter 4 Managing Groups

Chapter 4 Managing Groups

What are Groups in Active Directory

Groups are containers that contain user and computer objects within them as members. When security permissions are set for a group in the Access Control List on a resource, all members of that group receive those permissions. Domain Groups enable centralized administration in a domain. All domain groups are created on a domain controller.

  • AD groups are objects that act as containers for users, computers and other groups.
  • Group are used to make the management of users easier especially when it come to granting permissions to access resources.
  • There are two types of groups in Active Directory:
    • Distribution groups Used to create email distribution lists.
    • Security groups Used to assign permissions to shared resources.
  • Groups are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The scope of the group defines where the group can be granted permissions. The following three group scopes are defined by Active Directory. A) Universal B) Global C) Domain Local
Scope Possible Members Scope Conversion Can Grant Permissions Possible Member of
Universal Accounts from any domain in the same forest

Global groups from any domain in the same forest

Other Universal groups from any domain in the same forest

Can be converted to Domain Local scope

Can be converted to Global scope if the group does not contain any other Universal groups

On any domain in the same forest or trusting forests Other Universal groups in the same forest

Domain Local groups in the same forest or trusting forests

Local groups on computers in the same forest or trusting forests

Global Accounts from the same domain

Other Global groups from the same domain

Can be converted to Universal scope if the group is not a member of any other global group On any domain in the same forest, or trusting domains or forests Universal groups from any domain in the same forest

Other Global groups from the same domain

Domain Local groups from any domain in the same forest, or from any trusting domain

Domain Local Accounts from any domain or any trusted domain

Global groups from any domain or any trusted domain

Universal groups from any domain in the same forest

Other Domain Local groups from the same domain

Accounts, Global groups, and Universal groups from other forests and from external domains

Can be converted to Universal scope if the group does not contain any other Domain Local groups Within the same domain Other Domain Local groups from the same domain

Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs

group-types-and-scope-in-active-directory

Image belongs to original owner

Note:- Groups can contain accounts. Don’t mix computers and users in the same group

  • Groups have a simple life cycle
    1)Creation 2) Use and Modification of membership 3) Deletion

Source :-

https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx 

Advertisements