Understanding Windows Server 2003 Groups

To gain access to resources in an Active Directory network, users need to be setup with the appropriate permissions. Things like shared folders and drives, printers, and most other network resources you can think of have what is called an Access Control List (ACL). This list shows the objects (users, groups, computers, OUs, etc.) that have permission to access any given resource, along with specific details about what level of access is granted.

These objects listed in the ACL are known as Security Principles. The access control list for resources is found on the Security tab of the Properties dialog box. What all this means is that for a user to gain access to a network resource, it needs to be configured to specifically allow that user access. Imagine how time consuming that would be on a large network! Let's imagine a company hired 100 new employees (as if that would ever happen in this economy). If they all needed access to various resources scattered around the network, it would take hours of arduous configuration for the administrator to setup permissions for every one of them. So what do we do to make this task simpler?

A group is, essentially, just a list of users that functions as a security principle (see above). An Active Directory group can contain users, contacts, computers, and sometimes even other (sub) groups. Note: Do not confuse groups with organizational units. They serve two separate purposes. You can use a Group as a security principle by adding it to the ACL of a network resource. From there, you can configure permissions that will be applied to every object (users, in our example) in the group. If, later, you add users to the group, they will inherit these permissions. If users are removed from the group, they will lose the permissions. Smart usage of groups can really make administrating network resources a much simpler task. In a network with a well planned group system, administrators should rarely, if ever, need to assign permissions to an individual user.

In addition to resource access control, groups can be used to assign user rights. What are user rights? User rights are special settings that can grant a user or group the ability to perform specific system tasks, such as accessing a computer from the network, adjusting system times, or taking ownership of folders and files. Groups can also be used in the creation of email distribution lists, such as those normally configured through Exchange or Outlook.