Wednesday, September 2, 2009

Understanding Active Directory Groups

In the world of Active Directory, there are various types of groups. Group is used to group up individual objects, which otherwise would be difficult to manage. The first type is the Local group, which only applies within a single computer - this should not be used in a domain. The next type is the Domain Local (DL), which is used to manage permissions or ACLs to resources e.g. confidential folders that can only be accessed by HR group. Global Group (GG) is used to define business roles, such as HelpDesk, Sales, Marketing etc. However, GG membership is only contained within a single domain. To workaround this constraint, Universal Group (UG) is introduced to cross multi-domain within the same forest. For example, an MNC has 3 different domains and each domain has a GG named Managers. Let's say there is a big project that requires collaboration among the different domain Managers GG. A new UG named "Big_Project" can be created to include the 3 GG within forest.

To manage numerous groups, a process called nesting (or adding groups to other groups) can be used to create a hierarachy of groups. For single domain, AGDLA is recommended: Accounts are members of Global Group, which in turn, are members of Domain Local groups, which are added to Access Control Lists (ACL) to provide the level of access granted to various resources. For example, assign Sales accounts to the Sales GG and Audit accounts to Auditors GG. Both global groups are assigned to a DL called ACL_Sales_Read. This DL can be assigned with read permission to access a folder that contains all Sales information.

For cross-forests, note that only Domain Local (DL) may include memberships of any domains outside a forest. If you need to assign permission to users at trusted forests, use DL to assign the ACLs.


  1. Both GG and DL can only contain members within the local domain. The main difference between GG and DL is that GG can be granted permissions in any domain in the forest; whereas permissions for DL can only be granted within the same domain. That probably explains why DL is used to manage ACL and GG is used to manage account membership.

  2. Another reason to explain why DL is for ACL and GG for account membership. DL can include any members from same domain, forest and trusted domain. However, GG can only include members from same domain.