A group is a simple concept that has been used in many different types of systems over the years. In generic terms, a group is just a collection of things. Groups are used most frequently in a security context whereby you set up a group of users and apply certain permissions or rights to that group. Using a group is much easier when applying security than using individual users because you have to apply the security only once instead of once per user.

In Active Directory, groups are flexible objects that can contain virtually any other type of object as a member. Active Directory groups can be used for many different purposes including controlling access to resources, defining a filter for the application of group policies, and as an email distribution list.

The scope and type of a group defines how the group can be used in a forest. The type of a group can be either security or distribution. Security groups can be used to restrict access to resources whereas distribution groups can be used only as a simple grouping mechanism. Both group types can be used as email lists. The scope of a group determines where members of the group can be located in the forest and where in the forest you can use the group in ACLs. The supported group scopes include universal, global, and domain local. Universal groups and domain local groups can have members that are part of any domain in the forest. Global groups can only have members that are part of the same domain the group is in.

The Anatomy of a Group

Groups are represented in Active Directory by group objects. Table 7-1 contains a list of some of the noteworthy attributes that are available on group objects.

Table 7-1. Attributes of group objects




Relative distinguished name of group objects.


Timestamp of when the OU was created.


Textual description of the group.


Flag containing the group scope and type. See Recipe 7.6 for more information.


Additional notes about a group.


Local RID for the group. This matches the primaryGroupID attribute that is set on user objects.


DN of a user or group that is the owner of the group.


List of DNs of objects this group is listed in the managedBy attribute for.


List of DNs of members of the group.


List of DNs of the groups this group is a member of.


Timestamp of when the OU was last modified.


Down-level account name for the group. Typically this is the same as the cn attribute.


URL of the home page for the group.

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List