AD Groups are used for grouping individual AD Elements together to aid the ease of system configuration. The idea of AD Groups, analogous to the idea of Capability Groups (Subsection 4.2.6), exploits the fact that typical system configuration will require only a small number of very similar, and often the same, ADs. The number of the AD Groups that can be created in a system ensures that the possible granularity of mandatory security policy is not limited severely.
AD Group with id 0 represents the default AD Group and is treated in a special way (Subsection 4.3.5).