Sunday, February 23, 2020

AD DS - Group Types and Scope

Group Types

Groups make it easier to manage users and computers
A group helps organize users or computers to make it easier to manage permissions. There are two types of groups: security groups and distributiongroups. When you create a group, you choose the group type. The default group type is the security group.
Screenshot of the Create Groups wizard. The Group types (Security and Distribution) are highlighted.

Distribution Groups vs. Security Groups

Know which type of group to use
The main difference between distribution and security groups is whether permissions and access control can be assigned.

Distribution Groups
Security Groups
Can permissions and access control be assigned?
No
Yes
Distribution groups are primarily for email
Distribution groups are not security enabled and cannot be given permission to resources. Distribution groups are used mainly by email applications. Sending an email message to a distribution group sends the message to all group members. If you are creating a group solely for email distribution it should be this type of group.  
Security groups control resources
Security groups are security‑enabled, and are used to assign permissions and control access to various resources. You can use a security group for email distribution, but we recommend you keep distribution groups and security groups separate.

Consider that when you add a user to a group, the user’s access token—which authenticates user processes—updates only when the user signs in. Therefore, if the user is currently signed in, the user must sign out and sign back in to update their access token with any changed group memberships.


What are group scopes?

Group scopes determine permissions and abilities
When you create an AD DS group you must also select a group scope. The scope of a group determines both the range of a group’s abilities or permissions, and the group membership. Your choices are: Domain local, Global, and Universal.
Screenshot of the Create Group wizard. The group scope selections (domain local, global, and universal) are highlighted.

Group scopes have different memberships and permissions
Here is a summary table for the three group scopes. Each scope will be explained in more detail on the next pages.

Group scope
Group Membership
Abilities and Permissions
Domain-local
Any user in the forest
Anything in the domain
Global
Any user in the domain
Anything in the forest
Universal
Any user in the forest
Anything in the forest
at
Labels: , ,

1 comment:

  1. jamesharry521February 23, 2020 at 11:06 PM

    I am thankful for this blog to gave me much knowledge regarding my area of work. I also want to make some addition on this platform which must be in knowledge of people who really in need. Thanks. Logistics and Freight Forwarding Software

    ReplyDelete

Subscribe to: Post Comments (Atom)