Security Group Reports

5 Reports
About Security Group Reports

Security Group Reports provide comprehensive insights into groups used for permissions and access control. Track security groups across all scopes (built-in, local, global, universal) to manage resource access, implement least privilege, and maintain proper security boundaries.

Access Control

Manage permissions and security

Group Scopes

Built-in, local, global, universal

Security Principals

Manage resource access

Security Groups Overview

Security groups act as security principals that can be assigned permissions to resources (files, folders, printers, etc.). Members inherit the group's permissions, simplifying access management. Unlike distribution groups, security groups control access, not just email distribution.

Example: Security Group Reports

Security Group Reports
Quick Navigation

Available Reports

All Security Groups

Comprehensive report of all security groups across all scopes - built-in, local, global, and universal. Complete inventory of groups used for permissions and access control.

Use Cases
  • Complete security group inventory
  • Permission structure audit
  • Access control documentation
  • Baseline for security reviews
Key Information
  • All security groups
  • Group scope (built-in/local/global/universal)
  • Member counts
  • Purpose and descriptions
  • Permission assignments
Best Practice: Use as master list for access control audits and permission structure reviews.
Built-in Security Groups

Shows predefined security groups created automatically during domain setup with specific administrative privileges and permissions. Critical for maintaining system security.

Use Cases
  • Audit default group memberships
  • Verify built-in permission assignments
  • System security validation
  • Administrative access review
Key Information
  • Predefined security groups
  • Default privileges and rights
  • Current memberships
  • Purpose and capabilities
  • System-level permissions
Important: Built-in groups have powerful predefined rights. Carefully control membership - especially Domain Admins, Enterprise Admins, Administrators.
Local Security Groups (Domain Local)

Lists domain local security groups - used to assign permissions to resources within the domain. Can contain users/groups from any domain but only grant access to local domain resources.

Use Cases
  • Resource permission assignments
  • Local access control management
  • File server security groups
  • Domain-specific resource access
Key Information
  • Domain local scope groups
  • Can contain universal members
  • Grant access to local resources
  • Typical use: resource permissions
  • AGDLP strategy (DL for permissions)
Best Practice: Use domain local groups for assigning permissions to resources (AGDLP: Accounts → Global → Domain Local → Permissions).
Global Security Groups

Shows global scope security groups - used to organize users/computers with similar needs. Can be used anywhere in the domain or forest but can only contain members from the same domain.

Use Cases
  • Organize users by role or department
  • Nest into domain local groups
  • Cross-domain access (when in DL)
  • Role-based organization
Key Information
  • Global scope groups
  • Same-domain members only
  • Can be nested in DL groups
  • Typical use: user organization
  • AGDLP strategy (G for grouping)
Best Practice: Use global groups to organize users, then nest them in domain local groups for permission assignment.
Universal Security Groups

Lists universal scope security groups - can contain members from any domain and be used anywhere in the forest. Stored in Global Catalog, so changes replicate forest-wide.

Use Cases
  • Forest-wide access requirements
  • Multi-domain resource access
  • Enterprise-wide roles
  • Consolidate global groups
Key Information
  • Universal scope groups
  • Can contain members from any domain
  • Forest-wide visibility
  • Global Catalog replication
  • Use sparingly (replication impact)
Caution: Universal group membership changes replicate to all Global Catalogs. Use for relatively static memberships to minimize replication traffic.
Group Scope Strategy (AGDLP)

Best practice for using group scopes effectively:

  1. Accounts → Add user accounts to...
  2. Global groups → Add global groups to...
  3. Domain Local groups → Assign...
  4. Permissions to resources

This strategy simplifies management and works well across domains and forests.

Related Reports

Explore other group report categories:

General Group Reports All groups and general information
Distribution Group Reports Email distribution groups
Back to Report Library Back to Top