New groups in Active Directory

James Michael Stewart, Contributor

Creating new groups in Active Directory is accomplished in much the same manner as creating a new user or a new OU. Simply right-click on the OU that will contain the new group in the Active Directory Users and Computers console and select New, Group from the pop-up menu. Next provide the group name, select a group type and select a group scope. Once the group is created you can manage its memberships.

The group scope establishes where the group can be used and what types of objects it can contain. The group type establishes what services can be applied to the group.

There are three options for group scope: domain local, global and universal. A domain local group can only be used within a single domain. A domain local group can have users, global groups and universal groups as members. A global group can be used throughout a domain tree (i.e. the current domain and all child domains). A global group can have users and other global groups as members. A universal group can be used anywhere in the forest. A universal group can have users, global groups and other universal groups as members.

There are two options for group type: security and distribution. A security group is used to assign permissions to network resources. A distribution group is used primarily by Exchange server (Microsoft's e-mail solution) for sending e-mail to groups. Unless you are using Exchange server or other AD integrated messaging service, there is no need to use distribution

Requires Free Membership to View


Universal distribution groups can be used in mixed mode domains. Universal security groups can only be created in native mode domains. This restriction is enforced to support backwards compatibility with Windows NT 4.0 BDCs which do not have the capacity to support universal security groups.

Another benefit of a native mode domain is the ability to change the scope of a group. Domain local groups and global groups can be converted into universal groups. However, once their scope is elevated to universal, it cannot be changed back.

However, even with the benefits of universal groups, it is generally recommended to use them as little as possible. In other words, only create universal groups if their specific forest-wide capability is absolutely necessary. The reason for this caution is that the definition of each universal group along with their entire membership list is added to the global catalog server. This movement of the group definition to the GC host is necessary to allow it to function throughout the forest. Adding too many universal groups to the GC can result in an overburdened GC and poor performance.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in January 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.