A group is represented as a group object in Active Directory. The group object has seven important properties:
|cn||The cn (or Common-Name) is a single-value property that is the object's relative distinguished name. The cn is the name of the group in Active Directory. As with all other objects, the cn of a group must be unique among the sibling objects in the container containing the group.|
|member||The member property is a multi-value property that contains the list of distinguished names for the user, group, and contact objects that are members of the group. Each item in the list is a linked reference to the object that represents the member; therefore, Active Directory automatically updates the distinguished names in the member property when a member object is moved or renamed.|
|groupType||The groupType property is a single-value property that
is an integer that specifies the group type and scope using the
following bit flags:
The first three flags specify the group scope.
The ADS_GROUP_TYPE_SECURITY_ENABLED flag indicates the type of the group. If this flag is set, the group is a security group. If this flag is not set, the group is a distribution group.
|memberOf||The memberOf property is a multi-value property that contains the list of distinguished names for groups that contain the group as a member. This property lists the groups beneath which the group is directly nested—it does not contain the recursive list of nested predecessors. For example, if group D were nested in group C and group B and group B were nested in group A, the membersOf property of group D would list group C and group B but not group A.|
|objectGUID||The objectGUID property is a single-value property that
is the unique identifier for the object. This property is a GUID
(Globally Unique Identifier). When an object is created in the
directory, Active Directory generates a GUID and assigns it to the
object's objectGUID property. The GUID is unique across the
enterprise and anywhere else.
The objectGUID is a 128-bit GUID structure stored as an OctetString.
|objectSid (Object-Sid)||The objectSid property is a single-value property that
specifies the security identifier (SID) of the group. The SID is a
unique value used to identify the group as a security principal. It
is a binary value that the system sets when the group is created.
Each group has a unique SID that the Windows NT®/Windows® 2000 Server domain issues that is stored in the objectSid property of the group object in the directory. Each time a user logs on, the system retrieves the SID for the groups of which the user is a member and places it in the user's access token. The system uses the SIDs in the user's access token to identify the user and his/her group memberships in all subsequent interactions with Windows NT/Windows 2000 security.
When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
|sAMAccountName||The sAMAccountName property is a single-value property
that is the logon name used to support clients and servers from a
previous version (Windows® 95, Windows® 98, and LAN Manager). The
sAMAccountName should be less than 20 characters to support
clients and servers from a previous version.
The sAMAccountName must be unique among all security principal objects within a domain.