Information Technology Reference
In-Depth Information
Types of Groups
When dealing with groups, you should make the distinction between local security princi-
pals and domain security principals, as follows:
Local Users and Groups You use local users and groups to assign the permissions
necessary to access the local machine. For example, you may assign the permissions you
need to reboot a domain controller to a specific domain local group.
Domain Users and Groups Domain users and groups , on the other hand, are used
throughout the domain. These objects are available on any of the computers within the
Active Directory domain and between domains that have a trust relationship.
Here are the two main types of groups used in Active Directory:
Security Groups Security groups are considered security principals. They can contain user
accounts, computers, or groups. To make administration simpler, system administrators usu-
ally grant permissions to groups. This allows you to change permissions easily at the Active
Directory level (instead of at the level of the resource on which the permissions are assigned).
You can also place Active Directory Contact objects within security groups, but security
permissions will not apply to them.
Distribution Groups Distribution groups are not considered security principals because
they do not have SIDs. As mentioned earlier, they are used only for the purpose of send-
ing email messages. You can add users to distribution groups just as you would add them
to security groups. You can also place distribution groups within OUs so that they are
easier to manage. You will find them useful, for example, if you need to send email mes-
sages to an entire department or business unit within Active Directory.
Understanding the differences between security and distribution groups is important in
an Active Directory environment. For the most part, system administrators use security
groups for the daily administration of permissions. On the other hand, system administra-
tors who are responsible for maintaining email distribution lists generally use distribution
groups to group members of departments and business units logically. (A system adminis-
trator can also email all of the users within a security group, but to do so, they would have
to specify the email addresses for the accounts.)
When you are working in Windows Server 2003, Server 2008, Server 2008 R2,
Windows Server 2012, or Windows Server 2012 R2 functional-level domains, you can
convert security groups to or from distribution groups.
It is vital that you understand group types when you are getting ready to
take the Microsoft exams. Microsoft likes to include trick questions about
putting permissions on distribution groups. Remember, only security
groups can have permissions assigned to them.
Group Scope
In addition to being classified by type, each group is given a specific scope. The scope of a
group defines two characteristics. First, it determines the level of security that applies to
Search WWH ::




Custom Search