Active Directory Group Accounts are used to organize and manage user accounts, and to provide permissions and access to resources in an Active Directory environment. There are two types of groups in Active Directory: Security Groups and Distribution Groups.
Security Groups are used to assign permissions and access to resources in Active Directory. When a user is added to a Security Group, they inherit the permissions and access assigned to that group. Security Groups can be used to manage access to files and folders, printers, and other resources. Security Groups can also be nested within other Security Groups to simplify administration.
Distribution Groups are used to send email messages to multiple recipients. Unlike Security Groups, Distribution Groups are not used to assign permissions or access to resources. Distribution Groups can be used to send email messages to groups of users, such as all employees or all managers, and can be used to manage mailing lists.
Here are some examples of Security Group functions in Active Directory:
- Resource Access: Security Groups can be used to assign permissions and access to resources, such as files and folders, printers, and other resources.
- Group Policy: Security Groups can be used to apply Group Policy settings to specific sets of users or computers.
- Delegation: Security Groups can be delegated administrative tasks, such as managing user accounts or resetting passwords, based on their permissions and group memberships.
- Authorization: Security Groups can be used to determine who has access to specific resources or who is authorized to perform certain actions.
- Auditing: Security Groups can be used to audit access to resources or actions performed in Active Directory.
Here are some examples of Distribution Group functions in Active Directory:
- Email Distribution: Distribution Groups can be used to send email messages to multiple recipients.
- Mailing Lists: Distribution Groups can be used to manage mailing lists and simplify communication within an organization.
- Collaboration: Distribution Groups can be used to facilitate collaboration and communication between groups of users.
- Notification: Distribution Groups can be used to send automated notifications or alerts to groups of users.
To create a new group account in Active Directory, you can use the Active Directory Users and Computers console, or you can use PowerShell commands such as New-ADGroup. Here is an example PowerShell command that creates a new Security Group:
sql
New-ADGroup -Name "Finance Group" -GroupScope Global -GroupCategory Security -Path "OU=Groups,DC=contoso,DC=com"
This command creates a new Security Group called “Finance Group” with a Global group scope and Security group category. The group is created in the “OU=Groups,DC=contoso,DC=com” organizational unit.
Active Directory Builtin Groups are predefined Security Groups that are created during the installation of Active Directory Domain Services. These groups are used to assign permissions and access to resources in an Active Directory environment, and they provide a way to simplify administration by grouping related permissions and access.
Here is a list of the built-in groups in Active Directory:
- Domain Admins: Members of this group have full control over the entire domain, including all domain controllers.
- Enterprise Admins: Members of this group have full control over all domains in the forest.
- Schema Admins: Members of this group have full control over the Active Directory schema.
- Administrators: Members of this group have administrative privileges on all domain controllers in the domain.
- Account Operators: Members of this group can create, modify, and delete accounts for users, groups, and computers in the domain.
- Backup Operators: Members of this group can back up and restore files and directories on domain controllers.
- Print Operators: Members of this group can manage printers and printer queues on domain controllers.
- Server Operators: Members of this group can manage the computer and resources on which they are assigned.
- Users: Members of this group include all user accounts in the domain.
- Guests: Members of this group include all guest accounts in the domain.
To use these groups, you can assign them to resources such as files and folders, printers, or other network resources. You can also use them to delegate administrative tasks or assign permissions to users or groups.
For example, you can add a user to the Domain Admins group to give them full control over the domain. You can also use the Backup Operators group to grant a user permissions to perform backups of domain controllers. Additionally, you can use the Account Operators group to delegate the ability to create, modify, or delete user accounts to a group of users.
When using built-in groups, it is important to be mindful of the permissions and access that they provide. Because these groups have predefined permissions and access, assigning a user to a built-in group can give them broad administrative access that should be carefully managed and audited.
