Groups are Active Directory objects used to collect users, contacts, computers, and other groups into manageable units. There are three kinds of groups:
- Security groups Used to manage user and computer access to shared network resources. When assigning permissions to access resources, administrators assign permissions to security groups rather than to individual users.
- Distribution groups Used as e-mail distribution lists. Distribution groups have no security function.
- Query-Based Distribution groups Used also as e-mail distribution lists but the difference is that members of such a group are not specified statically. Membership of these groups is built in dynamic manner using LDAP queries.
In this document, security and distribution groups are collectively referred to as groups. As for Query-based distribution groups, these are considered a separate category of groups.
Each group has a scope: universal, global, or domain local.
- Universal groups can include groups and accounts from any domain in the domain tree or forest, and can be granted permissions in any domain in the domain tree or forest.
- Global groups can only include groups and accounts from the domain in which the group is defined. Global groups can be granted permissions in any domain in the forest.
- Domain local groups can include groups and accounts from other domains. These groups can only be granted permissions within the domain in which the group is defined.
A group can be a member of another group. This is referred to as group nesting. Group nesting increases the number of affected member accounts and thus consolidates group management. Accounts that reside in a group nested within another group are indirect members of the nesting group.
Active Roles provides the facility to perform administrative tasks such as create copy, rename, modify, and delete groups. It can also be used to add and remove members from groups and perform Exchange tasks on groups.
The following section describes how to use the Active Roles console to manage groups. You can also use the Active Roles Web Interface to perform the group management tasks.