Skip to main content

Cornell University

Group Management Terminology

This article applies to: Group Management

Reference Groups

Reference groups are based on the University HR Organizational Tree (also known as the Department Tree Table) as represented in PeopleSoft database system, as well as on information about each student's college association(s). Reference groups organize people at the university into groups representative of where they work or study. Reference groups are an example of static groups (see definition below).

Please see our About Reference Groups page for details.

Legacy Permit Groups

Cornell’s Legacy Permit system has become part of the new CornellAD Groups management system. Anything that we say about groups also applies to legacy permits.

Group Scope

Each group can have one of three scope levels:

  • Domain Local
  • Global
  • Universal

Rather than try to explain them here, the procedures we document on this web site will give guidance on what scope to select in various circumstances.

Group Type

There are two types of CornellAD groups: Distribution Groups and Security Groups. Distribution groups are usually used to create email and calendaring groups [not available yet], while Security groups are used to provide access to resources (authorization). A Security group can also be a Distribution group.

Dynamic Group

Dynamic groups can be created using the Quest Group Management Interface. Dynamic groups are created via an LDAP type "filter" and the members change as the value of the member's attributes change. For example, you could create a group with the membership of everyone whose last name is "Smith" by using a filter such as "(sn=smith)". If anyone's last name changes, their membership in the group would automatically be removed.

Static Group

This type of group does not automatically update based on a filter. It gets updated by a person or a feed. A reference group (see description above) is an example of a static group.

Nested Group

Nested groups are created by making one group a member of another group. Example:

  • GroupA contains the NetIDs pqs665 and dxl882.
  • GroupB contains the NetID cd404 and GroupA.
  • Thus the members of GroupB are pqs665, dxl882, and cd404.
  • Anyone who is added to GroupA automatically becomes a member of GroupB.

Resource Account (Exchange Group Account)

An Exchange Group Account (EGA) is a specialized Exchange account set up specifically for a Cornell group to handle email or calendars related to its mission or business. Please see our Resource Accounts articles for details.

Group Policy object (GPO)

A logical concept used to represent a single set of computer and/or user policies. For example, an OU administrator can create a GPO that applies access to a printer for a group called GroupA.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.