Solution:
A domain group is an Active Directory organizational tool. It is used to organize user accounts, computer accounts, and other group accounts into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration, for example, in SharePoint.

A domain group can be nested, so it can contain other groups (As noted in the graphic below, the nested groups appear in blue typeface).

insert pic

There are two types of domain groups

Security groups - let you assign the same security permissions for shared resources to large numbers of users in one operation.

Distribution groups - have only one function - the management of e-mail distribution lists. Distribution groups play no role in security (they cannot be assigned permissions).

Domain groups and Princeton University

• To have a new domain group created, please put in a request to the Help Desk. The request should come from a department SCAD\DCS, a department chairperson, manager, or appropriate OIT personnel.
• Once a group has been created, a person(s) is usually given administrative rights to the group, to allow them to add or remove any users as needed.
• To become the administrator of an existing group, contact a current administrator of the group or the Help Desk for assistance.
• Once a domain group administrator has been selected, the admin can go to http://windows.princeton.edu/GroupMember.aspx to start administering the group.
• Check the box for 'Only display editable groups' to only list the groups that you administer

insert pic

You can then add or delete a user as needed:

insert pic

The difference between an administrator and a member of a group
Removing an administrator's netid from a group membership list does not terminate their admin rights to a group, they can just login and re-add themselves to a group. To terminate a user's administrative rights to a group, please contact the Help Desk.

Efficient use of domain groups

• Put users into security groups with global scope. A global group can usually be thought of as an Accounts group, that is, a group that contains user accounts.
• Put resources into security groups with domain local (or machine local) scope. A local group can usually be thought of as a Resource group, that is, a group to which you assign permissions to access a resource.
• Put a global group into any domain local (or machine local) group in the forest (this is especially efficient when more than one domain is involved).
• Assign permissions for accessing resources to the domain local (or machine local) groups that contain them.
• Delegate administration of groups to the appropriate manager or group leader.

Related Links:

• Princeton University netID and Group Membership information can be found at: http://windows.princeton.edu
• More detailed information can be found at Microsoft Technet http://technet.microsoft.com/en-us/library/bb727067.aspx