- Windows Server
- 06 August 2021 at 17:11 UTC
-
- 1/2
When you create an Active Directory infrastructure, you have the option of creating user groups with a specific scope and type.
Groups allow you to :
- simplify management of rights on folders on a partition using the NTFS file system
- manage permissions on network shares
- use this as a security filter for the application of your group policy objects
- send mail (emails) to some users by targeting them through the group they are in
- and more
- Create a new AD group
- Distribution group
- Security group
- Change the scope of a group
- Add users to a group
- Delegate management of a group
1. Create a new AD group
To create a new group on your Active Directory infrastructure, right click "New" on the organizational unit (OU) or container (CN) where you want to create it.
As you can see, you can choose a group scope and a group type.
For group scopes, you can choose between :
- local domain :
- these groups can contain objects (users, groups, ...) from any domain
- these groups can only be used to set permissions on resources present in the same domain as this group - global :
- these groups can only contain objects (users, groups, ...) present in the same domain as the group itself
- these groups can be used to set permissions on resources present in other domains in the same forest - universal :
- these groups can contain objects (users, groups, ...) from any domain in the same forest
- these groups are used to set permissions on resources present in the same forest as this group
For the group's type, you have the choice between :
- security : this type of group has a security identifier (SID) and therefore allows you, for example, to define permissions on various resources and/or NTFS rights on folders and files
- distribution : this type of group can only be used with messaging solutions, such as Microsoft Exchange Server, for example.
This makes it possible, for example, to send e-mails to a list of users.
To show you the difference between a security group and a distribution group, we will create 2 groups :
- MySecurityGroup : which is a "Security" type group
- MyDistribGroup : which is a "Distribution" type group
To learn more about the types and scopes of groups, refer to the Microsoft site : About Active Directory groups
The 2 new groups appear.
2. Distribution group
As mentioned earlier, distribution groups are used for sending mail (through Microsoft Exchange, for example).
Warning : distribution groups don't have a security identifier (SID) and therefore can't be used to assign NTFS rights on folders, ...
3. Security group
Security groups have the same features as distribution groups, but they also have a SID. This is not the case for distribution groups.
Thanks to security groups, you can, for example, manage NTFS rights on folders.
To do this, right click on a folder and go to the "Security" tab.
Then, click on Edit.
Click on the "Add" button.
If you search for the groups available in your Active Directory domain, you will see that only the security group will be displayed.
This proves that distribution groups can't be used to manage NTFS rights on folders.
Share this tutorial
To see also
-
Windows Server 4/16/2021
Windows Server - AD DS - How Active Directory replication works
-
Windows Server 4/30/2021
Windows Server - AD DS - Overview of Active Directory functional levels
-
Windows Server 4/3/2021
Windows Server - AD DS - The basics of Active Directory
-
Windows Server 5/21/2021
WS 2016 - AD DS - Add a domain controller to an existing AD domain
You must be logged in to post a comment