AD Groups are an internal part of Active Directory provided for the ease of management of resources like User Accounts. Computer Accounts and other Service Accounts. AD Groups can be created to group together different resources so that the permissions can be provided without much hassles.
Imagine providing access to a list of users on a share or computer would be a troublesome and lengthy process. Managing them through groups is much more simpler and easy to document.
Security vs Distribution Groups
A) Security Groups
Security Groups is used to group together various AD Objects like Service Accounts, User Accounts and Computer Accounts etc in order to provide appropriate permissions on various Resources. These Groups can be helpful to segregate level of access provided. As the name suggests, these groups are primarily for security purpose
B) Distribution Groups
Distribution Groups can be created basically for Exchange related activities. Distribution Groups help us in adding various user accounts and sync them with Exchange \ Office365 components to receive\send emails to a set of users
>> The following segregation of a subset of Security Groups based on the level of scopes
Local vs Domain Local vs Global vs Universal
A) Local Groups
Local Groups are created on a local computer and their scope is only limited to a single computer. It could be created on any Windows machine and are not associated with Active Directory. However these groups can contain AD Users, AD Computers and even Local Users and Administrators.
Local Groups can contain Local Users, Domain Users, Computers, Domain Local Group, Global Group and Universal Group as members
B) Domain Local Groups
This group is created at Domain Level and their scope is limited within Domain.
It may contain Users, Computers, Domain Local Group. Global Group and Universal Group
C) Global Groups
Global Groups are created at Domain Level but they have Forest level scope and would be useful to extend the purview in other domains in the forest.
These Groups can have Users, Computers and Other Global Groups from the same Domain as members.
D) Universal Groups
Universal Groups are also created at Domain Level and have Forest level scope. That means these Groups can access resources from other Domains in the Forest.
The difference between Global and Universal Group is that Universal Groups can have members like Users, Computers and Other Universal Groups from multiple Domains in the forest as well
0 comments: