Active Directory Groups


Microsoft Active Directory has several different Classifications of groups determined by the GroupType.

Generally there are either

Each of these can be further classified as one of the following:

Primary Group#

Primary Group is not a Group at least in the traditional perspective, only a "default" Attribute Value that is assigned to every "normal" Microsoft Active Directory User when created.

Domain User#

Domain Users is a Server-side group determined by the PrimaryGroupID=513 (a Well-known Security Identifier)


The member Attribute on Active Directory Groups which is the FDN of the users (or nested groups) that are members of the group and is referred to as a Forward Reference.
member is not populated for Primary Group or Domain Users


The memberOf Attribute on the user (on a group in case of Nested Groups) is the FDN of the Group the user is a member and is referred to as a Virtual Attribute.
memberOf is not populated for Primary Group or Domain Users

Beware of memberOf

Nested Groups#

Microsoft Active Directory supports Nested Groups. (ie a group can be a member of another group)

Sending Email to a Active Directory Groups#

You can use Security Groups for sending email. Like Distribution Groups, Security Groups can also be used as an e-mail entity. Sending an e-mail message to a Security Groups Distribution Groups sends the message to all the members of the group.

Memberships Of Groups#

Group TypeMembershipMemberOfGroups in Global CatalogMembers in Global Catalog
Domain Local GroupUser entries From any Domain
Universal Groups From any Domain
Global Groups From any Domain
Domain Local Group From Same Domain
Domain Local Groups From same DomainYESNO
Global GroupUsers From Same Domain
Global Group From Same Domain
Universal Group From any Domain
Domain Local Group From any Domain
Global Group From Same Domain
Universal GroupUser From Any Domain
Universal Group from any domain
Global Group From Any Domain
Domain Local Group from any domain
Universal Group From any Domain

Active Directory Groups tokenGroups#

tokenGroups often comes up in Active Directory Groups discussions which is a Virtual Attribute A computed attribute that contains the list of SIDs of group membership expansion that includes Nested Groups.
tokenGroups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse group memberships.

Active Directory Groups and Global Catalog#

The GroupType of the Active Directory Group determines how the group and their Members are listed in the Global Catalog

Microsoft says this reduces the size of the Global Catalog and the replication traffic associated with keeping the Global Catalog up to date. You can improve network performance by using groups with global or domain local scope for directory objects that will change frequently.

Active Directory Groups LDAP SearchRequest #

Obtaining Active Directory Groups from a LDAP SearchRequest is a complex process which is dependent on several parameters:

Ldapwiki has put a few ideas that should help:

More Information#

There might be more information for this subject on one of the following: