Chapter 16. Domain User, Group, and Computer Accounts
The three most common types of objects you'll need to manage in an Active Directory forest include users, groups, and computers. You'll need to create user objects to represent the employees, customers, or students in your environment. It is important to understand how to properly configure and automate the management of user objects so you can cut down on much of the day-to-day tasks required to support these objects.
A group is a simple concept that has been used in many different types of systems over the years. In generic terms, a group is just a collection of things. Groups are used most frequently in a security context whereby you set up a group of users and apply certain permissions or rights to that group. Using a group is much easier when applying security than using individual users because you have to apply the security only once instead of once per user.
In Active Directory, groups are flexible objects that can contain virtually any other type of object as a member. Active Directory groups can be used for many different purposes including controlling access to resources, defining a filter for the application of group policies, and as an email distribution list.
The scope and type of a group defines how the group can be used in a forest. The type of a group can be either security or distribution. Security groups can be used to restrict access to resources whereas distribution groups can be used only as a ...