Creating new groups in Active Directory is accomplished in much the same manner as creating a new user or a new OU. Simply right-click on the OU that will contain the new group in the Active Directory Users and Computers console and select New, Group from the pop-up menu. Next provide the group name, select a group type and select a group scope. Once the group is created you can manage its memberships.
The group scope establishes where the group can be used and what types of objects it can contain. The group type establishes what services can be applied to the group.
There are three options for group scope: domain local, global and universal. A domain local group can only be used within a single domain. A domain local group can have users, global groups and universal groups as members. A global group can be used throughout a domain tree (i.e. the current domain and all child domains). A global group can have users and other global groups as members. A universal group can be used anywhere in the forest. A universal group can have users, global groups and other universal groups as members.
There are two options for group type: security and distribution. A security group is used to assign permissions to network resources. A distribution group is used primarily by Exchange server (Microsoft's e-mail solution) for sending e-mail to groups. Unless you are using Exchange server or other AD integrated messaging service, there is no need to use distribution groups.
Universal distribution groups can be used in mixed mode domains. Universal security groups can only be created in native mode domains. This restriction is enforced to support backwards compatibility with Windows NT 4.0 BDCs which do not have the capacity to support universal security groups.
Another benefit of a native mode domain is the ability to change the scope of a group. Domain local groups and global groups can be converted into universal groups. However, once their scope is elevated to universal, it cannot be changed back.
However, even with the benefits of universal groups, it is generally recommended to use them as little as possible. In other words, only create universal groups if their specific forest-wide capability is absolutely necessary. The reason for this caution is that the definition of each universal group along with their entire membership list is added to the global catalog server. This movement of the group definition to the GC host is necessary to allow it to function throughout the forest. Adding too many universal groups to the GC can result in an overburdened GC and poor performance.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.