One of the primary functions of a directory service like Active Directory is to provide authorization for access to network resources. Ultimately, all access to network resources is based on the individual user accounts. However, in most cases, you do not want to administer access to resources by using individual user accounts. In a large company, this would result in a great deal of administrative effort. Also, the access control lists (ACLs) on network resources would soon be unmanageable if you assigned permissions using individual user accounts. Because managing access to network resources using individual user accounts is unmanageable, you create group objects to manage large collections of users at one time.