Groups allow user accounts to be logically grouped together for administrative purposes. For example, instead of granting Read access on a shared folder to three separate user accounts, create a group that contains these accounts and assign Read permission to the group. It may be more initial work to do things this way, but if you later want to change the users’ access to Full Control, you can do it in one step by granting this permission to the group instead of granting it for each user individually. Also, if other users need these same permissions in the future, you just make them members of the group since members of a group receive whatever permissions have been assigned to the group (a user can belong to more than one group at a time).
The general strategy that Microsoft recommends for managing resource access by user accounts is called AGP: organize user Accounts into Groups to which suitable Permissions are assigned. A good way to begin is to determine which user accounts in your domain require access to the same file, printer, and other network resources. For example, users in the customer support department might need access to the FAQ share, so create a group called Support for this purpose.
However, in WS2003 it’s a little more complicated than this: there are different types of groups, and these groups can have different scope. In addition, groups can contain not just user accounts but also computers and other groups. In fact, groups can be ...