Most computer administration systems have the concept of a group of users. Security is simplified if you can specify security for a group rather than repeatedly specifying security definitions for each member of the groups. In most cases computer security groups correspond to departments and divisions within your organization. Security permissions should always be assigned to groups rather than individuals. This provides flexibility when the individual changes responsibilities and the security must change. If only one user needs a certain kind of security settings, set up a one user group for this job function. If the user changes job functions, you simply remove the user from the group and add some other user who will take over the responsibility.

Local Groups

Windows includes a number of Built-in local groups which have assigned rights to perform administrative tasks. Users can obtain these rights be becoming members of the groups. On member servers and workstations, local groups are managed with the Computer Management console. These local groups only have rights on the one computer. Built-in domain local groups on domain controllers are replicated to all domain controllers in the domain and have rights on all domain controllers. Domain groups are managed with the Active Directory Users and Computers console.

Distribution Groups

Distribution groups are not used by the Windows security system. They are intended for applications such as e-mail programs to establish distribution lists.

Active Directory Groups

Active Directory allows groups nesting, i.e. groups can be members of groups. Ideally Active Directory would have only one type of group. For efficiency reasons, there are 3 types of groups which differ in membership and where they can be used.

Keyboard Exercise

User Active Directory Users and Computers to create one of each of the three types of groups; domain local, global, and universal.