Directory Services

Groups in Active Directory

Groups are Active Directory® or local computer objects that can contain users, contacts, computers, and other groups. Groups can be used to:

Groups can be used for security purposes, such as access control and policy, or they can be used for grouping purposes, such as distribution lists. Specify whether a group is used for security purposes when you create the group.

When assigning permissions for resources, file shares, printers, and so on, administrators should assign those permissions to a group rather than to the individual users. The permissions are assigned one time to the group, instead of several times to each individual user. This helps simplify the maintenance and administration of a network.

To control access to a frequently-used resource, create a group that will contain users that require that type of access, add one or more access-control entries (ACEs) to set the access for that group on the security descriptor for the resource, and then add any users who require that type of access to the resource as members of the group. For more information about setting access on directory objects, see Controlling Access to Active Directory Objects. For more information about setting access on other objects in Windows® 2000, see Access Control.

When a user is made a member of a group, that user is given all the rights and permissions granted to the group. However, if the user is already logged on, the rights of the newly assigned group will not take effect until the user logs off and logs on again.

Contacts in a group can be sent e-mail, but cannot be assigned rights and permissions. Although a contact can be added to a security group as well as to a distribution group, contacts cannot be used to set rights and permissions.

Groups vs. Organizational Units

Groups are distinct from organizational units (OUs). OUs are useful for creating a hierarchy for administrative delegation or setting group policy. Groups are used for granting access and creating distribution lists.

Groups and organizational units also differ in regard to the domain boundaries to which they are applied. You can create groups to contain users, computers, or shared resources on a local server, a single domain, or multiple domains in a forest. Organizational units represent a collection of objects (including group objects) only within the context of a single domain.

Native vs. Mixed Mode

In Windows® 2000, domains can operate in two different modes:

A domain must be in native mode to use the following Windows 2000 group features:

Mixed mode supports all types of distribution groups (including Universal) and nesting of distribution groups. Mixed mode should only be used to support Windows NT 4.0 domain controllers during the migration process. A domain tree or forest can contain both mixed-mode and native-mode domains.

Before creating or converting groups that require native mode, your application should verify the operation mode of the domain.

Nesting

In Windows 2000, groups can contain other groups. This is called nesting. Nesting is supported only for distribution groups in domains running in mixed mode. A domain must be in native mode to nest security groups as well as distribution groups.

Nesting can be an efficient way to handle large memberships as well as delegate management of group membership. For example, the top group could be a universal group that contains only global groups. The domain administrators of the domains containing those global groups can manage the membership within their own domains. The enterprise administrator can simply manage the global group membership of the universal group, that is, adding and removing global groups, and let the domain administrators handle the membership requests from users in their own domain.