Domain Local Universal Global
Likewise domain local groups that describe resource permissions or user rights should contain only global groups that represent business roles.
Domain local universal global. Domain local grop is a security or distribution group that can contain universal groups global groups other domain local groups from its own domain and accounts from any domain in the forest. If the domain functional level is set to windows 2000 mixed distribution groups can have the same membership as detailed for windows 2000 native or windows server 2003 functional level. A global group can also be nested. In addition the scope can both contain and be a member of domain local groups from the same domain.
Use domain global groups to organize users who share similar access requirements and make them member of the domain local groups you use to grant access to resources. Domain local groups orange. The scope of a group determines from where in the network you can assign permissions to the group. Universal groups light blue.
Global groups can grant access to anything including files folders in any domain. Stored on the local sam local computer use for security settings that apply just to this one machine. During a disaster recovery exercise. Domain universal groups can contain users domain global groups and domain universal groups from any.
Global groups cannot be nested across domains. Global groups green. Each group scope defines the possible members a group can have and where the group s permissions can be applied within the domain. These groups can only be used by systems in the same domain.
With domain universal groups permissions can be assigned to resources in any domain. Can be a member of global groups of the same domain domain local groups or universal groups of any domain in the forest or trusted domains. Domain local global and universal are group scopes which allow you to use groups in different ways to assign permissions. However a global group can contain user accounts that are only from its own domain.
There are three group scopes. Domain global groups can be a member of domain local groups and domain universal groups in any domain. This can look like in the illustration below. Nesting of domain local groups.
A user or computer account from one domain cannot be nested within a global group in another domain. Universal groups other universal groups from any domain global groups from any domain user accounts from any domain and computer accounts from any domain. To begin with a domain local group can be a member of another domain local group within the same domain. Universal global and domain local.
Universal groups accept user computer accounts from any domain. Local groups will work even if the network becomes unavailable e g. Domain local groups may contain accounts global groups and universal groups from any domain as well as domain local groups from the same domain. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.
Domain local groups accept user accounts from any domain. The domain local scope can contain user accounts universal groups and global groups from any domain. The table below was taken straight from microsoft technet and it gives the whole story of the rules for group scope. In addition local users and computers can also be members of this group.