Overview#
Microsoft Active Directory has several different Classifications of groups determined by the GroupType.Generally there are either
Each of these can be further classified as one of the following:
Primary Group#
Primary Group is not a Group at least in the traditional perspective, only a "default" Attribute Value that is assigned to every "normal" Microsoft Active Directory User when created.Domain User#
Domain Users is a Server-side group determined by the PrimaryGroupID=513 (a Well-known Security Identifier)member#
The member Attribute on Active Directory Groups which is the FDN of the users (or nested groups) that are members of the group and is referred to as a Forward Reference.memberOf#
The memberOf Attribute on the user (on a group in case of Nested Groups) is the FDN of the Group the user is a member and is referred to as a Virtual Attribute.Beware of memberOf
Nested Groups#
Microsoft Active Directory supports Nested Groups. (ie a group can be a member of another group)Sending Email to a Active Directory Groups#
You can use Security Groups for sending email. Like Distribution Groups, Security Groups can also be used as an e-mail entity. Sending an e-mail message to a Security Groups Distribution Groups sends the message to all the members of the group.Memberships Of Groups#
| Group Type | Membership | MemberOf | Groups in Global Catalog | Members in Global Catalog |
|---|---|---|---|---|
| Domain Local Group | User entries From any Domain Universal Groups From any Domain Global Groups From any Domain Domain Local Group From Same Domain | Domain Local Groups From same Domain | YES | NO |
| Global Group | Users From Same Domain Global Group From Same Domain | Universal Group From any Domain Domain Local Group From any Domain Global Group From Same Domain | YES | NO |
| Universal Group | User From Any Domain Universal Group from any domain Global Group From Any Domain | Domain Local Group from any domain Universal Group From any Domain | YES | YES |
Active Directory Groups tokenGroups#
tokenGroups often comes up in Active Directory Groups discussions which is a Virtual Attribute A computed attribute that contains the list of SIDs of group membership expansion that includes Nested Groups.
tokenGroups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse group memberships.
Active Directory Groups and Global Catalog#
The GroupType of the Active Directory Group determines how the group and their Members are listed in the Global Catalog- Universal Group, and their members, are listed exclusively in the Global Catalog.
- Global Groups are also listed in the Global Catalog, but their members are NOT. [2]
- Domain Local Group are also listed in the Global Catalog, but their members are NOT. [2]
Microsoft says this reduces the size of the Global Catalog and the replication traffic associated with keeping the Global Catalog up to date. You can improve network performance by using groups with global or domain local scope for directory objects that will change frequently.
Active Directory Groups LDAP SearchRequest #
Obtaining Active Directory Groups from a LDAP SearchRequest is a complex process which is dependent on several parameters:- your environment Configuration
- GroupType of Active Directory Groupss?
- The Scope of your Active Directory Groups search:
- include Nested Groups?
LDAPWiki has put a few ideas that should help:
More Information#
There might be more information for this subject on one of the following:- Active Directory Group Related Searches
- Active Directory Groups
- Distribution Group
- Domain Local Group
- Global Catalog
- Global Group
- Group-AD
- GroupType
- LDAP Group
- Member Attribute
- MemberOf
- Microsoft Active Directory
- Security Group
- Universal Group
