Group Types Flashcards
Distribution Group
Any group in Active Directory can be created as either a distribution group or a security group. Distribution groups do not have a SID (Security Identifier) associated with them. For this reason distribution groups can’t be used for security. That is, a distribution group cannot be used to assign permissions to files or objects. Distribution groups are mainly used with e-mail programs like Exchange to send e-mails to groups of people. Since there is no SID associated with the group, when you make a user a member of a distribution group, this does not affect the size of the security token for that user. A security token is created when the user logs in and contains their SID and any SID’s for any security groups of which they are a member.
Security Group
A security group has a SID and thus can be used for assigning permissions to files or objects. A security group can also be used as a distribution group in e-mail software like Exchange. Thus, the difference between a security group and a distribution group is simply that a security group is security enabled whereas a distribution group is not. If you are not sure which group to create, create a security group since it can do everything a distribution group can do and can also be used in security related operations.
Global Group
Global groups have the most restrictive membership requirements, only allowing users, computers, and other Global groups from the same domain to be used as members. However, Global groups can be used as members of any other group, including other forest and external domains. This means a Global group has the most restrictive membership requirements of all the groups but is the most flexible when being used as members of other groups.
