Overview[1]#

Used with care, Security Groups provide an efficient way to assign access to resources on your network. Using Security Groups, you can: Assign user rights to security groups in Microsoft Active Directory

Group in Microsoft Active Directory are either Security Group or Distribution Group.

Like Distribution Group, Security Groups can also be used as an e-mail entity. Sending an e-mail message to the group sends the message to all the members of the group.

User rights are assigned to security groups to determine what members of that group can do within the scope of a domain (or forest). User rights are automatically assigned to some security groups at the time Active Directory is installed to help administrators define a person's administrative role in the domain. For example, a user who is added to the Backup Operators group in Active Directory has the ability to backup and restore files and directories located on each domain controller in the domain.

This is possible because by default, the user rights Back up files and directories and Restore files and directories are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights assigned to that group. For more information about user rights, see User rights. For more information about the user rights assigned to security groups, see Default groups.

You can assign user rights to security groups, using Group Policy, to help delegate specific tasks. You should always use discretion when assigning delegated tasks because an untrained user assigned too many rights on a security group can potentially cause significant harm to your network. For more information, see Delegating administration. For more information about assigning user rights to groups, see Assign user rights to a group in Active Directory.

Assign permissions to security groups on resources #

Permissions should not be confused with user rights. Permissions are assigned to the Security Group on the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions set on domain objects are automatically assigned to allow various levels of access to default Security Groups such as the Account Operators group or the Domain Admins group. For more information about permissions, see Access control in Active Directory.

Security Groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a Security Group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account added to a group receives the rights assigned to that group in Active Directory and the permissions defined for that group at the resource.

Sending Email to a Security Group#

Like Distribution Groups, Security Groups can also be used as an e-mail entity. Sending an e-mail message to a Security Group (or Distribution Group) sends the message to all the members of the group.

Converting between security and distribution groups#

A group can be converted from a security group to a distribution group, and vice versa, at any time, but only if the domain functional level is set to Windows 2000 native or higher. No groups can be converted while the domain functional level is set to Windows 2000 mixed.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-9) was last changed on 10-Jun-2016 13:27 by jim