In general, a group is a collection of individuals or resources which share the same characteristics and responsibilities. In an organization, individual identities get added and deleted, but roles and responsibilities do not change much. Therefore, the best way to manage privileges in organizations is based on roles and responsibilities rather than individuals. For example, in a sales department, sales persons will change quite often but their operational requirements will not change frequently. They all will access the same file shares, have the same permissions to CRM application, and have the same privileges to access each other's calendars. AD groups allow you to isolate identities based on the privileges requirements.

In an AD environment, there are two categories of groups:

• Security groups: This type is used to assign permissions to the resources. As an example, Rebeladmin Corp. has a team of 10 sales persons. They use a shared folder called Sales in the file server. Everyone in the sales team has the same access permissions to it. If the permission would be managed at the user level, the ACL for the Sales folder would have 10 entries to represent each user. If a new sales person joins the team, his account will need to be added to the ACL and match with the permission manually by comparing existing users in the ACL. Since this is a manual process, there is a possibility that the wrong privileges are applied by mistake. If it's based on security groups, we can create group such as sales department and then add that to the Sales folder ACL with the relevant privileges. After that, we can remove individual entries for each sales user from ACL. Thereafter, access to the Sales folder will be controlled by adding or removing users from sales department group.
• Distribution group: This is to be used with an email system, such as Microsoft Exchange, to distribute one email to a group. These groups are not security enabled, so you cannot use them to assign permissions.