Access control users and groups

Networked operating systems provide tools for user management. In the case of Windows, this is through the use of user and group objects. They serve the following purposes.

Types of Active Directory Groups

Active Directory groups can be used:

• To simplify the administration by assigning share (resource) permissions to a group rather than individual users. When you assign permissions to a group, all of its members have the same access to the resource;
• To delegate the control by assigning user rights to a group using Group Policies. In the future, you can add new members to the group who need the permissions granted by this group;
• To create email distribution lists.

There are two types of AD groups:

• Active Directory Security Groups. This type of group is used to provide access to resources (security principal). For example, you want to grant a specific group access to files on a network shared folder. To do this, you need to create a security group;
• Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users (recipients) in the group. This type of group cannot be used to provide access to domain resources, because they are not security enabled.

For a full list of groups and users, see this article.

And for Microsoft’s guidance, see here.