Directory Services

Group Objects

A group is represented as a group object in Active Directory. The group object has seven important properties:

cn The cn (or Common-Name) is a single-value property that is the object's relative distinguished name. The cn is the name of the group in Active Directory. As with all other objects, the cn of a group must be unique among the sibling objects in the container containing the group.
member The member property is a multi-value property that contains the list of distinguished names for the user, group, and contact objects that are members of the group. Each item in the list is a linked reference to the object that represents the member; therefore, Active Directory automatically updates the distinguished names in the member property when a member object is moved or renamed.
groupType The groupType property is a single-value property that is an integer that specifies the group type and scope using the following bit flags:

ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP

ADS_GROUP_TYPE_GLOBAL_GROUP

ADS_GROUP_TYPE_SECURITY_ENABLED

ADS_GROUP_TYPE_UNIVERSAL_GROUP

The first three flags specify the group scope.

The ADS_GROUP_TYPE_SECURITY_ENABLED flag indicates the type of the group. If this flag is set, the group is a security group. If this flag is not set, the group is a distribution group.

memberOf The memberOf property is a multi-value property that contains the list of distinguished names for groups that contain the group as a member. This property lists the groups beneath which the group is directly nested—it does not contain the recursive list of nested predecessors. For example, if group D were nested in group C and group B and group B were nested in group A, the membersOf property of group D would list group C and group B but not group A.
objectGUID The objectGUID property is a single-value property that is the unique identifier for the object. This property is a GUID (Globally Unique Identifier). When an object is created in the directory, Active Directory generates a GUID and assigns it to the object's objectGUID property. The GUID is unique across the enterprise and anywhere else.

The objectGUID is a 128-bit GUID structure stored as an OctetString.

objectSid (Object-Sid) The objectSid property is a single-value property that specifies the security identifier (SID) of the group. The SID is a unique value used to identify the group as a security principal. It is a binary value that the system sets when the group is created.

Each group has a unique SID that the Windows NT®/Windows® 2000 Server domain issues that is stored in the objectSid property of the group object in the directory. Each time a user logs on, the system retrieves the SID for the groups of which the user is a member and places it in the user's access token. The system uses the SIDs in the user's access token to identify the user and his/her group memberships in all subsequent interactions with Windows NT/Windows 2000 security.

When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.

sAMAccountName The sAMAccountName property is a single-value property that is the logon name used to support clients and servers from a previous version (Windows® 95, Windows® 98, and LAN Manager). The sAMAccountName should be less than 20 characters to support clients and servers from a previous version.

The sAMAccountName must be unique among all security principal objects within a domain.