Group Type and Scope

In Active Directory, there are two types of groups:
cim1265
In Active Directory, there are two types of groups:
  • Security--Listed in Access Control Lists (ACLs), which define permissions for resources and objects.
  • Distribution--Used to group objects, such as users and groups. Distribution groups cannot be used to grant privileges in Active Directory.
Each type of group has a scope that determines the following:
  • Member location--Where potential members can reside
  • Permissions--Where the group can be used for access privileges (if the group is a security group)
  • Group Membership in Other Groups--The location of groups to which the group can belong
Each type of group can have one of the following scopes:
Scope
Member Location
Permissions
Group Membership in Other Groups
Universal
Group members can be Universal groups, Global groups, and users from any domain in the forest.
Can be used to grant access in any domain in a forest.
Can be members of Domain Local and Universal groups in any domain in the forest.
Global
Group members can be Global groups and users located in the same domain as the group.
Can be used to grant access in any domain in a forest.
Can be members of Global, Domain Local, and Universal groups in any domain in the forest.
Domain Local
Group members can be Universal groups, Global groups, and users from any domain in the forest. Members can also be Domain Local groups from the same domain.
Can only be used to grant access to the domain where the group resides.
Can only be a member of other Domain Local groups within the domain.
Group type and scope are not required attributes; however, if you do not specify group type and scope, Active Directory creates a security group with global scope.
To create groups of a different type, you can create a custom logical attribute handler. See the chapter on Logical Attributes in the
Programming Guide for Java
.
Once you have configured these Active Directory features, proceed to the next step: Create an Admin Task.