Group Type and Scope
In Active Directory, there are two types of groups:
cim1265
In Active Directory, there are two types of groups:
- Security--Listed in Access Control Lists (ACLs), which define permissions for resources and objects.
- Distribution--Used to group objects, such as users and groups. Distribution groups cannot be used to grant privileges in Active Directory.
Each type of group has a scope that determines the following:
- Member location--Where potential members can reside
- Permissions--Where the group can be used for access privileges (if the group is a security group)
- Group Membership in Other Groups--The location of groups to which the group can belong
Each type of group can have one of the following scopes:
Scope
| Member Location
| Permissions
| Group Membership in Other Groups
|
Universal | Group members can be Universal groups, Global groups, and users from any domain in the forest. | Can be used to grant access in any domain in a forest. | Can be members of Domain Local and Universal groups in any domain in the forest. |
Global | Group members can be Global groups and users located in the same domain as the group. | Can be used to grant access in any domain in a forest. | Can be members of Global, Domain Local, and Universal groups in any domain in the forest. |
Domain Local | Group members can be Universal groups, Global groups, and users from any domain in the forest. Members can also be Domain Local groups from the same domain. | Can only be used to grant access to the domain where the group resides. | Can only be a member of other Domain Local groups within the domain. |
Group type and scope are not required attributes; however, if you do not specify group type and scope, Active Directory creates a security group with global scope.
To create groups of a different type, you can create a custom logical attribute handler. See the chapter on Logical Attributes in the
Programming Guide for Java
.Once you have configured these Active Directory features, proceed to the next step: Create an Admin Task.