A group is a simple concept that has been used in many different types of standalone and networked systems over the years. In generic terms, a group is just a collection of objects. Groups are often used to apply security in an efficient manner, where you create a collection of users and assign certain permissions or rights to that group, rather than to each individual user within the group. When applying security settings, it’s much easier to use a group rather than individual users, because you only need to apply the security setting once instead of once per user. In addition, groups are also frequently used to send email messages to an entire group of users at once rather than requiring the sender to address each person individually.

In Active Directory, groups are flexible objects that can contain virtually any other type of object as a member, although they’ll generally only contain users, inetOrgPersons, computers, and other groups. Active Directory groups can be used for many different purposes, including controlling access to resources, defining a filter for the application of group policies, and as an email distribution list.

The ways in which a group can be used in an Active Directory forest are defined by the group’s scope and type. The type of a group can be either security or distribution. Security groups can be used to restrict access to Windows resources, whereas distribution groups can be used only as a simple grouping mechanism for ...