What are group category and group scope? If you look back at the new group window, you'll see that there are two mandatory settings that we just left as default, group type and group scope. So what are they? There are two categories of group in active directory. The most common one, and the only one that will deal with in this module is called a security group. Security groups can contain user accounts, computer accounts or other security groups. The default groups that we talked about before like domain users and domain admins are security groups. They're used to grant or deny access to IT resources. Let's say you create a human resource group, and then give that group access to a shared photo specifically for folks in human resources. The other type of group is called a distribution group. A distribution group is only designed to group accounts and contacts for email communication. You can't use distribution groups for assigning permission to resources. One reason you might use a distribution group in service security group is to create an email list that included people from outside of your domain. What about group scope? Group scope has to do with the way that group definitions are replicated across domains. Keeping a lot of large groups synchronized in very large network is a complicated problem. So active directory gives us different types of groups to manage that complexity. Most commonly, group scopes are used like this. Domain local, this is used to assign permission to a resource. An example of this would be to create a domain local group that has read access to a network share called Research Share Readers and another with write access called Research Share Writers. Global, this is used to group accounts into a role. Our example researchers group is a global group. You could have other role-based groups like sales or management. Universal, this is used to group global roles in a forest. Domain local and global groups aren't replicated outside of the domain that they're defined in, but universal groups are. In a multidomain forest, you might have a global research shared readers group in each domain and or research shared readers universal group that contains each global group as members. Universal groups are replicated to all domains in a forest. With domain local resource groups and global role groups, you can create very easy-to-understand group memberships. They very clearly describe what kind of access each role is supposed to have to each resource. So, I can add managers to the research share readers group, and researches to the research share writers group. And that's all very easy to understand. Now if we add to our new researchers group, she can write to the research chef shared folder. It's not because her user account was given direct access to the files there, but because she's a researcher. All right, let's add user accounts to our new researchers group. We can do this from the user account or from the group. Let's start from user account. In the active directory administrative center, right click on her account and select active groups. Now, in the enter the object names to select field, type researchers and then click OK. That's it. What did ADAC do in the background? ADAC used a PowerShell command that takes an active directory security principle like a user account or security group and added to its group membership. Let me add myself to the researchers group and see how that works. I'll right click on the researchers group, and then click on properties. Okay, and if I click on members, I can see that is a member of this group. Now, if I click on this Add button off to the right, It'll bring up a similar dialogue window as you saw before. Now, I'll enter my account name and click OK. System administrator, hit OK. Just like we made changes from the group instead of the user, so did ADAC in PowerShell. This time around, we used the PowerShell command to set or make changes to an existing AD Group. We added my account to the researchers group. Now, I'm not really a researcher in this Org. So let's go ahead and remove my account using ADAC. This time of course, I use the remove button instead of the add button, and we're done. As you can see, the only thing that changed in the PowerShell command was a single parameter to remove instead of add a member. Most people in an organization have more than one role. In our fictional company, researchers are part of the research and development department. Some network resources will be shared with all of R and D where some resources will only be made available to researchers. It makes sense for us to create a parent group for the R and D department. Let's create a global security group for this. So what we're going to do is we're going to go ahead and right click users, click new group, and they're going to go ahead and name our group name Research and Development. In the description, we're going to go ahead and write all of the members of the Research and Development group, and then we're going to hit OK. Now, our researchers are part of the R and D department. In addition to being researchers, so instead of adding each researcher independently to the research and development group, we can add the researchers group as a member. If I type research like this and hit OK, I get a list of all of the users and groups that start with research. Let's go ahead and select research and development to add the researchers group. What happened at the Windows PowerShell history? Remember, user accounts and groups of both security principles. So we use the same PowerShell command to change group membership here like we did before. So, we created a user and added them to some new groups
