Active Directory Cookbook for Windows Server 2003 and Windows 2000-Active Directory Cookbook for Windows Server 2003 and Windows 2000

Introduction

A group is a simple concept that has been used in many different types of systems over the years. In generic terms, a group is just a collection of things. Groups are used most frequently in a security context whereby you set up a group of users and apply certain permissions or rights to that group. Using a group is much easier when applying security than using individual users because you have to apply the security only once instead of once per user.

In Active Directory, groups are flexible objects that can contain virtually any other type of object as a member. Active Directory groups can be used for many different purposes including controlling access to resources, defining a filter for the application of group policies, and as an email distribution list.

The scope and type of a group defines how the group can be used in a forest. The type of a group can be either security or distribution. Security groups can be used to restrict access to resources whereas distribution groups can be used only as a simple grouping mechanism. Both group types can be used as email lists. The scope of a group determines where members of the group can be located in the forest and where in the forest you can use the group in ACLs. The supported group scopes include universal, global, and domain local. Universal groups and domain local groups can have members that are part of any domain in the forest. Global groups can only have members that are part of the same domain the group is in.

The Anatomy of a Group

Groups are represented in Active Directory by group objects. Table 7-1 contains a list of some of the noteworthy attributes that are available on group objects.

Table 7-1. Attributes of group objects

Attribute

Description

cn

Relative distinguished name of group objects.

createTimestamp

Timestamp of when the OU was created.

description

Textual description of the group.

groupType

Flag containing the group scope and type. See Recipe 7.6 for more information.

info

Additional notes about a group.

primaryGroupToken

Local RID for the group. This matches the primaryGroupID attribute that is set on user objects.

managedBy

DN of a user or group that is the owner of the group.

managedObjects

List of DNs of objects this group is listed in the managedBy attribute for.

member

List of DNs of members of the group.

memberOf

List of DNs of the groups this group is a member of.

modifyTimestamp

Timestamp of when the OU was last modified.

sAMAccountName

Down-level account name for the group. Typically this is the same as the cn attribute.

wWWHomePage

URL of the home page for the group.

[ Team LiB ]