Group Types
Two types of groups can be created in
Active Directory.
Each group type is used for a different purpose. A security group is
one that is created for security purposes, while a distribution group is
one created for purposes other than security purposes. Security groups
are typically created to assign permissions, while distribution groups
are usually created to distribute bulk e-mail to users. As one may
notice, the main difference between the two groups is the manner in
which each group type is used. Active Directory allows users to convert a
security group into a distribution group and to convert a distribution
group into a security group if the domain functional level is raised to
Windows 2000 Native or above.
- Security groups: A security group is a collection of users who have
the same permissions to resources and the same rights to perform certain
system tasks. These are the groups to which permissions are assigned so
that its members can access resources. Security groups therefore remove
the need for an Administrator to individually assign permissions to
users. Users that need to perform certain tasks can be grouped in a
security group then assigned the necessary permissions to perform these
tasks. Each user that is a member of the group has the same permissions.
In addition to this, each group member receives any e-mail sent to a
security group. When a security group is first created, it receives an
SID. It is this SID that enables permissions to be assigned to security
groups – the SID can be included in a resource’s DACL. An access token
is created when a user logs on to the system. The access token contains
the user’s SID and the SID of those groups to which the user is a member
of. This access token is referenced when the user attempts to access a
resource. The access token is compared with the resource’s DACL to
determine which permissions the user should receive for the resource.
- Distribution groups: Distribution groups are created to share
information with a group of users through e-mail messages. Thus, a
distribution group is not created for security purposes. A distribution
does not obtain an SID when it is created. Distribution groups enable
the same message to be simultaneously sent to its group members.
Messages do not need to be individually sent to each user. Applications
such as Microsoft Exchange that work with Active Directory can use
distribution groups to send bulk e-mail to groups of users.
0 comments:
Post a Comment