Domain Local Global Universal

Domain universal groups can contain users domain global groups and domain universal groups from any.

Domain local global universal. The domain local scope can contain user accounts universal groups and global groups from any domain. Domain local groups orange. Global groups can grant access to anything including files folders in any domain. Global groups that represent business roles should contain only user or computer accounts.

It is a global group if the domain is in mixed mode. Universal groups can be a member of domain local groups or other universal groups but not global groups. Universal groups do not care about trust. During a disaster recovery exercise.

Universal groups accept user computer accounts from any domain. Global groups green. A global group can also be nested. Domain local groups accept user accounts from any domain.

Use domain global groups to organize users who share similar access requirements and make them member of the domain local groups you use to grant access to resources. By default the only member of the group is the administrator account for the forest root domain. Nesting of domain local groups. Global groups cannot be nested across domains.

It is a universal group if the domain is in native mode. Likewise domain local groups that describe resource permissions or user rights should contain only global groups that represent business roles. Domain local global and universal are group scopes which allow you to use groups in different ways to assign permissions. This can look like in the illustration below.

If the domain functional level is set to windows 2000 mixed distribution groups can have the same membership as detailed for windows 2000 native or windows server 2003 functional level. In addition the scope can both contain and be a member of domain local groups from the same domain. These groups can only be used by systems in the same domain. In addition local users and computers can also be members of this group.

With domain universal groups permissions can be assigned to resources in any domain. The group is authorized to make schema changes in active directory. Stored on the local sam local computer use for security settings that apply just to this one machine. Domain global groups can be a member of domain local groups and domain universal groups in any domain.

Universal groups other universal groups from any domain global groups from any domain user accounts from any domain and computer accounts from any domain. Universal groups light blue. Domain local groups may contain accounts global groups and universal groups from any domain as well as domain local groups from the same domain. A user or computer account from one domain cannot be nested within a global group in another domain.

Local groups will work even if the network becomes unavailable e g. To begin with a domain local group can be a member of another domain local group within the same domain.