<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[Microsoft Active Directory] has several different [Classifications] of groups determined by the [GroupType].


Generally there are either 
* [Security Groups] 
* [Distribution Groups] 

Each of these can be further classified as one of the following:
* [Domain Local Group]
* [Global Group]
* [Universal Group]

!! [Primary Group|PrimaryGroupID]
__[Primary Group|PrimaryGroupID] is not a [Group]__ at least in the traditional perspective, only a &quot;default&quot; [Attribute Value] that is assigned to every &quot;normal&quot; [Microsoft Active Directory] [User] when created.

!! [Domain User]
[Domain Users] is a [Server-side] [group] determined by the [PrimaryGroupID]=513 (a [Well-known Security Identifier]) 


!! [member]
The [member] [Attribute] on [{$pagename}] which is the [FDN] of the users (or nested groups) that are members of the group and is referred to as a [Forward Reference].

%%warning
[member] is not populated for [Primary Group|PrimaryGroupID] or [Domain Users]
%%


!! [memberOf]
The [memberOf] Attribute on the user (on a group in case of [Nested Groups]) is the [FDN] of the [Group] the user is a member and is referred to as a [Virtual Attribute].

%%warning
[memberOf] is not populated for [Primary Group|PrimaryGroupID] or [Domain Users]
%%

Beware of [memberOf]


!! Nested Groups
[Microsoft Active Directory] supports [Nested Groups]. (ie a group can be a member of another group)

!! Sending Email to a [{$pagename}]
You can use [Security Groups] for sending email. Like [Distribution Groups], [Security Groups] can also be used as an e-mail entity. Sending an e-mail message to a [Security Groups] [Distribution Groups] sends the message to all the members of the [group|Active Directory Groups].

!! Memberships Of Groups
%%zebra-table
%%sortable
%%table-filter
||[Group Type]||Membership||[MemberOf]||Groups in [Global Catalog]||Members in [Global Catalog]
|[Domain Local Group]|User entries From any Domain\\[Universal Groups] From any Domain\\[Global Groups] From any Domain\\[Domain Local Group] From Same Domain|[Domain Local Group]s From same Domain|YES|NO
|[Global Group]|Users From Same Domain\\[Global Group] From Same Domain|[Universal Group] From any Domain\\[Domain Local Group] From any Domain\\[Global Group] From Same Domain|YES|NO
|[Universal Group]|User From Any Domain\\[Universal Group] from any domain\\[Global Group] From Any Domain|[Domain Local Group] from any domain\\[Universal Group] From any Domain|YES|YES
/%
/%
/%

!! [{$pagename}] [tokenGroups]
[tokenGroups] often comes up in [{$pagename}] discussions which is a [Virtual Attribute] A computed attribute that contains the list of [SIDs] of group membership expansion that includes [Nested Groups].

%%warning
[tokenGroups] __cannot be retrieved if no [Global Catalog]__ is present to retrieve the transitive reverse group memberships.
%%

!! [{$pagename}] and [Global Catalog]
The [GroupType] of the [Active Directory Group] determines how the group and their [Members] are listed in the [Global Catalog]
* [Universal Group], and their [member]s, are listed exclusively in the [Global Catalog]. 
* [Global Groups] are also listed in the [Global Catalog], but their [members] are __NOT__. [2]
* [Domain Local Group]  are also listed in the [Global Catalog], but their [members] are __NOT__. [2]

[Microsoft] says this reduces the size of the [Global Catalog] and the replication traffic associated with keeping the [Global Catalog] up to date. You can improve network performance by using groups with global or domain local scope for directory objects that will change frequently.

!! [{$pagename}] [LDAP] [SearchRequest] 
Obtaining [{$pagename}] from a [LDAP] [SearchRequest] is a complex process which is dependent on several parameters:
* your environment [Configuration] 
* [GroupType] of [{$pagename}]s?
** [Security Group]
** [Distribution Group]
* The Scope of your [{$pagename}] search:
** [Domain Local Group]
** [Global Group] 
** [Universal Group]
* include [Nested Groups]?

[{$applicationname}] has put a few ideas that should help:
* [Active Directory Group Related Searches]
* [Active Directory User Related Searches]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

----
* [#1] [Is-Member-Of-DL Attribute|http://msdn.microsoft.com/en-us/library/ms677099(VS.85).aspx]
* [#2] [Global catalog replication|https://technet.microsoft.com/en-us/library/cc759007(v=ws.10).aspx|target='_blank']
</pre>