Security groups can provide an efficient way to assign access to resources on your network. By using security groups, you can:
- Assign User Rights
User rights are assigned to a security group to determine what members of that group can do within the scope of a domain or forest. User rights are automatically assigned to some security groups when Active Directory is installed to help administrators define a person's administrative role in the domain.
For example, a user who is added to the Backup Operators group in Active Directory has the agility to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights Backup files and directories and restore files and directories are automatically assigned to the Backup Operators Group. Therefore, members of this group inherit the user rights that are assigned to that group.
You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see User Rights Assignments.
- Assign Permissions to Security Groups for Resources.
Permissions are different from user rights. Permissions are assigned to the security group for a shared resource. Permissions determine who can access the resource and level of access, such as full control. Some permissions that are set on domain objects are automatically assigned to allow various levels of access to default security groups, such as the Account Operators Group or the Domain Admins Group.
Security groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account that is added to a group receives the rights that are assigned to that group in Active Directory, and the user receives the permissions that are defined for that group.
Like distribution groups, security groups can be used as email entities. Sending an email message to the group sends the message to all the members of the group