Active Directory Groups – Types Explained

Active Directory Groups – Types Explained. Every network has a registry containing information about its users, devices and other. AD is the a very well known on-prem directory service provider (IdP). Active Directory enables administrators to connect users to Windows based platforms. Each one has its own set of permission and access rights. Understanding how the directory works is critical to securing your network. This article formulate the question what is AD group? In the next part of this article we will find out exactly what they are and their purpose.

What is Active Directory (AD)?

Active Directory (AD), developed by Microsoft is a program that sorts users into various groups and a platform that grants access to sensitive data. Active Directory have in-built groups that store and arrange all the information about users, computers, shared folders and resources in an organizations’ network. For instance, if a user wants to access a specific resource within an organization, the administrator needs to authenticate and validate the user’s identity. Once the identity has been verified the users are authorized to access certain resources and restricted to a few within an Active Directory Infrastructure. 

What are Active Directory Groups?

An Active Directory group is a group of users that have been given access to certain resources. Any object that belongs to a specific group is referred to as a group member in AD. The administrators allow access and permissions to a group depending on the stored information rather than assigning rights individually to each member of the group.


The aim of the group is to simplify the network maintenance and administration and to secure Active Directory resources.

Why Use Active Directory Groups?

  • To make it easier for administrators to share (resource) permissions to a group instead of individual users and computer accounts.
  • Assigning permissions to a group implies that all  members of the group will have similar access to the shared resources.
  • Active Directory helps enforce policies and permissions at different levels for security purposes. Thus, it is highly secure and has a layered security system.
  • Users, computers, and resources can be located anywhere, yet Active Directory can access domain resources more securely.
  • The program is highly scalable. You can add N number of users to an individual domain with Active Directory Services.
  • It is one of the easy and efficient mechanisms to locate objects and generate email distribution lists.
  • Working with groups helps simplify network maintenance and administration.

Types of Active Directory Groups

In this guide of active Directory Groups Types- a group is a combination of objects, users, computers and resources within an organizational network. Active Directory sorts users into groups to manage all systems from one location and grant access to sensitive stored information.

The Active Directory Groups are given permission via:


  • Globally Unique Identifier (GUID).
  • Security Identifier (SID) for certain access to resources.


These groups are created on the basis of individual users’ requirements, global groups or domain members. 

The role of the administrator under Active Directory groups is to manage domain controllers and configurations. AD Administrator  maintains the stored data on domain member servers and workstations and operate the groups as a single object.


In this blog, we will concentrate on the types of Active Directory Group and their responsibilities.

Domain Groups

Windows Server operating system, has two main group types: Security and Distribution group. Each group have three group scopes. Security groups are more complex and assign permissions to shared resources, whereas the Distribution group is simpler and helps create e-mail distribution lists.

1. Security Group

Security Groups are complex yet assign access to resources on your network in an efficient way. Security Groups help:

  • Assign user rights – At the time of installing Active Directory, a few user rights are assigned automatically to help define a user’s administrative role in the domain. The main purpose to assign user rights to a security group is to decide the role of group members within the domain scope. Also, you can use Group Policies to delegate specific tasks when assigning user rights to security groups.


For instance, if a user is assigned the Backup Operators group, his role is to create backup and restore files and directories present on each domain controller.

  • Assign permissions to resources – Administrators give permissions, i.e., decide who has the Full Control for the shared resources. When assigning these permissions, they must select a security group rather than individual users. This way each account or individual user added to a group receives the assigned rights.


Like distribution groups in an Active Directory group, a security group can also be used as an email entity referred to as security-enabled distribution groups or mail-enabled security groups.

2. Distribution Groups

Distribution groups are designed for Exchange Servers to send e-mails in bulk to a group rather than individual users. You can only send e-mails and cannot provide access to Windows permissions. The group cannot be listed in the Discretionary Access Control Lists (DACLs) as they are not security-enabled. Also, if you have worked with Microsoft Exchange Server administrators, you may come across terms like “distribution groups” and “distribution lists” interchangeably.

How Secure is Your Active Directory ?

78% of companies have an insecure Active Directory and are vulnerable to a potential attack!!


Download our FREE  Active Directory Security Best Practices Compliance Checker

AD Group Scope

You must choose a scope for the group while setting up a security or distribution group in the Active Directory. The group scope helps the administrator understand how to assign the permissions to resources for the chosen group and which user can be added as a group member. In the domain tree or forest, each selected group has three scopes that identify the extent to which the group is applied. Also, one group can be a member of another group in the domain tree or forest referred to as Group nesting.


Universal groups (UG), global groups (GG) and domain local groups (DLG) are the three group scopes in Active Directory Groups.

1. Universal Group

Universal Group can grant permissions to the included users and group members (global and universal) from any Active Directory domain in the same forest. They do not worry about trust and define roles and manage resources across multiple domains under this group scope. Also, the universal group cannot become a member of the global groups apart from the domain local groups or other universal groups. Remember universal groups reside in the Global Catalog, which may also trigger forest-wide replication on addition or removal objects. Also, it is best suitable for large Active Directory forests.

2. Global Group

It cannot contain users, computers, and groups from the universal groups apart from the same domain. The role of this group type is to grant permissions to resources in another domain. It can be a member of domain local groups or universal groups from any domain in the forest/trusted domains and global groups of the same domain. The addition of accounts is granted only from the domain in which the global group was created. Also, Group Nesting is allowed under this group type. Keep in mind, you can convert Universal scope only if the group does not belong to the member of any other global group.

3. Domain Local Group

Domain Local Group can grant permissions to the included users, computers, and group members (global and universal) from any domain in the forest or any trusted domain for access to resources (files and folders, NTFS permissions, remote desktop access, etc.). It can become a member of any domain local group from the same domain under this group type. These are the only group scope that allows members from outside the forest and care about the trust. They also contain local groups created in the local Security Accounts Administrator (SAM) database. However, these local groups can be added to other local groups apart from the global group. Keep in mind these local groups perform even if the domain controllers fail to contact.

Changing the Scope or Type of Active Directory Groups

You can change the Scope or Type of Active Directory Groups by fulfilling certain conditions. Have a look at these conditions:

  • If the group is not a part of another global group, conversion of a Global Security Group to a Universal group is possible.
  • If the addition of another local domain group to the list of its members is not possible, you must convert a local domain group into a universal one.
  • There are no restrictions for converting a universal group to a local domain group.
  • If the global group does not contain another universal group as a member, then convert from universal to a global group.

Active Directory Groups – Types Explained Conclusion

Active Directory (AD) contains two main groups – Security Group and Distribution Groups that store and collect all the data associated with the AD users, computers, shared folders and resources in an organizations’ network. Also, each group comprises three group scopes that help in assigning permissions to resources for the selected group. The group scope also helps determine which user can be added as a group member.

Avatar for Hitesh Jethva
Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

4.5 2 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x