Group Objects

A group is represented as a group object in Active Directory Domain Services. The following table lists important attributes of the group object.

AttributeDescription
cn

The cn (or Common-Name) is a single-value attribute that is the object's relative distinguished name. The cn is the name of the group in Active Directory Domain Services. As with all other objects, the cn of a group must be unique among the sibling objects in the container that contains the group.

member

The member attribute is a multi-value attribute that contains the list of distinguished names for the user, group, and contact objects that are members of the group. Each item in the list is a linked reference to the object that represents the member; therefore, the Active Directory server automatically updates the distinguished names in the member property when a member object is moved or renamed.

groupType

The groupType attribute is a single-value attribute that is an integer that specifies the group type and scope using the following bit flags:

  • ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP
  • ADS_GROUP_TYPE_GLOBAL_GROUP
  • ADS_GROUP_TYPE_UNIVERSAL_GROUP
  • ADS_GROUP_TYPE_SECURITY_ENABLED

The first three flags specify the group scope. The ADS_GROUP_TYPE_SECURITY_ENABLED flag indicates the group type. If this flag is set, the group is a security group. If this flag is not set, the group is a distribution group. For more information, see Group Types.

memberOf

The memberOf attribute is a multiple-value attribute that contains the list of distinguished names for groups that contain the group as a member. This attribute lists the groups beneath which the group is directly nested—it does not contain the recursive list of nested predecessors. For example, if group D were nested in group C and group B and group B were nested in group A, the memberOf attribute of group D would list group C and group B, but not group A.

objectGUID

The objectGUID attribute is a single-value attribute that is the unique identifier for the object. This attribute is a Globally Unique Identifier (GUID). When an object is created in the directory, the Active Directory server generates a GUID and assigns it to the object's objectGUID attribute. The GUID is unique across the enterprise and anywhere else.

The objectGUID is a 128-bit GUID structure stored as an OctetString.

objectSid

The objectSid attribute is a single-value attribute that specifies the security identifier (SID) of the group. The SID is a unique value used to identify the group as a security principal. It is a binary value that the system sets when the group is created.

Each group has a unique SID that the Windows NT/Windows 2000 Server domain issues that is stored in the objectSid attribute of the group object in the directory. Each time a user logs on, the system retrieves the SID for the groups of which the user is a member and places it in the user's access token. The system uses the SIDs in the user's access token to identify the user and his/her group memberships in all subsequent interactions with Windows NT/Windows 2000 security.

When an SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.

sAMAccountName

The sAMAccountName attribute is a single-value attribute that is the logon name used to support clients and servers from a previous version (Windows 95, Windows 98, and LAN Manager). The sAMAccountName should be less than 20 characters to support clients and servers from a previous version.

The sAMAccountName must be unique among all security principal objects within a domain.

 

Group Types

There are two types of groups defined by Active Directory Domain Services, Security Groups and Distribution Groups.

A security group provides a logical grouping of objects and the group itself can be used as a security principal in an Access Control List (ACL). When a security group is given access to an object, all members of the security group automatically receive the same access to the object. Security groups with Universal scope can also be used as an email entity. Sending an email message to a universal security group sends the message to all the members of the group.

A distribution group also provides a logical grouping of objects, but cannot provide any access privileges. Distribution groups are not security enabled and cannot be used as a security principal in an ACL. Distribution groups are only used for grouping purposes. For example, distribution lists can be used with email applications, such as Exchange, to send email to a collection of users.

For more information about group types in Active Directory Domain Services, see the Group types topic on Microsoft TechNet.

Group Scope

There are three group scopes that are defined by Active Directory Domain Services, Universal, Global and Domain Local. The scope of the group defines what types of object can belong to the group, what types of groups the group can be a member of and the scope of objects that security groups can be given access to. When the domain functional level is set to Windows 2000 mixed mode, security groups with universal scope cannot be created.

The following table lists the three group scopes and more information about each scope for a security group.

ScopePossible membersScope conversionCan grant permissionsPossible member of

Universal

Accounts from any domain in the same forest.

Global groups from any domain in the same forest.

Other universal groups from any domain in the same forest.

Can be converted to domain local scope.

Can be converted to global scope as long as the group does not contain any other universal groups.

On any domain in the same forest or trusting forests.

Other universal groups in the same forest.

Domain local groups in the same forest or trusting forests.

Local groups on machines in the same forest or trusting forests.

Global

Accounts from the same domain.

Other global groups from the same domain.

Can be converted to universal scope as long as the group is not a member of any other global group.

On any domain in the same forest or trusting domains or forests.

Universal groups from any domain in the same forest.

Other global groups from the same domain.

Domain local groups from any domain in the same forest or from any trusting domain.

Domain Local

Accounts from any domain or any trusted domain.

Global groups from any domain or any trusted domain.

Universal groups from any domain in the same forest.

Other domain local groups from the same domain.

Can be converted to universal scope as long as the group does not contain any other domain local groups.

Within the same domain.

Other domain local groups from the same domain.

Local groups on machines in the same domain, excluding built-in groups that have well-known SIDs.

 

 

 

Show: