Share via


Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


A group is a collection of user and computer accounts, contacts and other groups that can be managed as a single unit. Users and computers that belong to a particular group are referred to as group members.

Using groups can simplify administration by assigning a common set of permissions and rights to many accounts at once, rather than assigning permissions and rights to each account individually. For an overview of permissions and rights, see Access control overview.

Groups can be either directory-based or local to a particular computer. Groups in Active Directory are directory objects that reside within a domain and organizational unit container objects. Active Directory provides a set of default groups upon installation, and also allows the option to create groups. For more information, see Default groups.

Local groups, which exist on local computers and not in Active Directory, are discussed in Default local groups.

Groups in Active Directory allow you to:

  • Simplify administration by assigning permissions on a shared resource to a group, rather than to individual users. This assigns the same access on the resource to all members of that group.

  • Delegate administration by assigning user rights once to a group through Group Policy, and then adding necessary members to the group that you want to have the same rights as the group.

  • Create e-mail distribution lists. For more information, see Group types.

Groups are characterized by their scope and their type. The scope of a group determines the extent to which the group is applied within a domain or forest. For information about group scope, see Group scope. The group type determines whether a group can be used to assign permissions from a shared resource (for security groups) or if a group can be used for e-mail distribution lists only (for distribution groups). For information about security groups and distribution groups, see Group types.

There are also groups for which you cannot modify or view the memberships. These groups are referred to as special identities and are used to represent different users at different times, depending on the circumstances. For example, the Everyone group represents all current network users, including guests and users from other domains. For more information, see Special identities.