Why Use Groups at All?

Groups are an effective way of simplifying administration. If you have only a handful of users, you don’t need to do much to change the built-in groups and memberships. One Administrator account handles everything related to administration, and the other few users all belong to the Users group and all have the same rights and permissions. But when the total number of users gets to 20 or more, groups are the way to organize permissions. For example, when you have a number of people who travel or telecommute, you don’t need to keep track of which users have permission to log on remotely if you add them all to the Mobile Users group.

About Group Scopes

All groups, whether built-in or created later, are assigned a group scope that defines how permissions are assigned. When you create a new group, by default, the new group is configured as a security group with universal scope.

Built-in local groups cannot be members of other groups. Universal groups, on the other hand, can be members of any other groups. Universal groups can have the following as members:

• Other universal groups

• Global groups

• Individual accounts

Global groups are best used for directory objects that require frequent maintenance, such as user and computer accounts. Global groups can be members of other groups, and they can have other global groups and individual user accounts as members.