Two basic group types are available in the Active Directory: security and distribution. Because distribution groups are used primarily by email and are not used for access control, let's focus on security groups.
Security groups are used to centralize access to objects. If a security group has an access permission and a user is a member of that group, he inherits that permission. This is a function of virtually every modern operating system and greatly reduces the amount of time spent managing permissions. Three group scopes exist in Active Directory—domain local, global, and universal.
→ See "Groups."
Group behavior differs based on whether the domain is in native or mixed mode. When a domain is created or upgraded, ...