Users are defined on Windows by
creating user accounts using the Windows administration
tool called the "User Manager". An account containing other accounts,
also called members, is a group.
Groups give Windows administrators
the ability to grant rights and permissions to the users within the
group at the same time, without having to maintain each user individually.
Groups, like user accounts, are defined and maintained in the Security
Access Manager (SAM) database.
There are two types of groups:
- Local groups. A local group can include user accounts created
in the local accounts database. If the local group is on a machine
that is part of a domain, the local group can also contain domain
accounts and groups from the Windows domain.
If the local group is created on a workstation, it is specific to
that workstation.
- Global groups. A global group exists only on a domain controller
and contains user accounts from the domain's SAM database. That is,
a global group can only contain user accounts from the domain on which
it is created; it cannot contain any other groups as members. A global
group can be used in servers and workstations of its own domain, and
in trusting domains.