GitHubFacebookLinkedin

👨‍🏫security group

What is security group ?

AD Security Group

What is a Security Group?

  • A security group is a logical entity in Windows that groups/collect (user accounts, computer accounts, and other groups ) together into one logical unit for the purpose of assigning permissions and rights.

  • It is primarily used to manage access to resources in a domain or local computer environment.

  • Security groups are stored in the Active Directory (AD) database in domain environments or in the Security Accounts Manager (SAM) database on local machines.

What is primary functions of a security group are?

  • Assign User Rights: Assigning user rights to a security group determines what the members of that particular group can do within the scope of a domain. For example, a user who is added to the Backup Operators group can back-up and restore files and directories located on each domain controller in the domain. By being a member of this group, you inherit the user rights assigned to the group.

  • Assign Permissions for Resources: This is different from user rights because user rights apply across an entire domain versus permissions that are directed to a specific entity. Permissions determine who can access the resource and the level of access, such as Full Control or Read-only.

How AD security groups work?

  • Use groups to collect user accounts, computer accounts, and other groups into manageable units.

  • Working with groups instead of with individual users helps you simplify network maintenance and administration.

AD has two types of groups:

  • Security groups: Use to assign permissions to shared resources.

  • Distribution groups: Use to create email distribution lists.

What is a Distribution Group ?

  • A distribution group is a collection of user accounts, contacts, or other groups that can be addressed as a single entity, typically for sending emails or other forms of messaging.

  • When an email is sent to a distribution group, it is automatically forwarded to all members of the group.

  • This simplifies communication by allowing administrators or users to send messages to a large audience without manually entering each recipient’s email address.

  • Finally :

    • Used for messaging (e.g., email lists).

    • Do not have a Security Identifier (SID), so they cannot be used to assign permissions or rights.

    • Exist solely to facilitate communication.

Reference : https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups

PreviousSecurity principalsNextWindows Security Context

Last updated