Professional Documents
Culture Documents
Home Windows 10 Windows 10 Mobile Previous versions MDOP Surface Surface Hub Library Forums
Quick access
Answers
https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 1/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group
There are three different group scopes; domain local, global and universal. The scope decides who can
be member of the group and where the group can be used. These are the three group scopes and a
"Can Contain Matrix" for each:
1. Domain Local Groups: These groups are only visible in their own domain. For that reason, domain
5 Local Security groups can be used to grant rights and permissions only on resources that reside in the
Sign in same domain where the domain local group is located. Domain local groups can contain domain local
to vote groups only from the same domain, but users, computers and all other group-types from the same
domain and trusted domains (all domains in the forest). Use domain local groups for assigning
permissions to resources in their home domain.
CAN CONTAIN: Domain Local Groups from the own domain, Global Groups from trusted domains and
any domain in the forest, Universal groups from trusted domains and any domain in the forest.
2. Global Groups: These groups are visible through-out the forest, but can only contain accounts and
global groups from the same domain. The group itself can be a member of universal and domain local
groups in any domain, and global groups of its own domain. The groups should be used to organize
users who share the same job tasks or department etc. You should not assign permissions directly to
global groups – domain local groups are more appropriate for that.
CAN CONTAIN: Global Groups from the OWN domain.
3. Universal groups: These groups are visible through-out the forest and can contain accounts, global
groups and other universal groups from any domain in the forest (they cannot contain domain local
groups). Universal groups should be used to nest global groups. By doing that, the group can assign
permissions to resources in multiple domains.
CAN CONTAIN: Global Groups from any domain in the forest, Universal Groups from any domain in
the forest.
Reply | Quote
Jesper Stahle Avanade (Partner) 165 Points
Hi ,
Here is my thoughts on this..
Domain Local- You can add members from any domain in your forest but you can give them access
to the resources which are available only in the domain where you create this DL.
3
Global- You can add members only from the domain where you create this DL, and this DL can be
Sign in
to vote given acess to any resources in any other domains in the forest.
For ex, you have Domain A and B. Your users in domain A , need to access a resource in Domain B.
How to accomplish this?
From your domain A ,create a Global DL--- create a Domain Local DL in domain B. Add the Domain
'A's Global DL as a member to the Domain B's Domain Local Group.. Give access to the resource in
Domain B. It's done..
Universal- Add members from any domain, access resources in any domain of the forest.
Hope it helps.. :)
Reply | Quote
Server Engineer 1,995 Points
https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 2/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group
Hello,
the first difference is:
Possible members of the group
Possible conversion of the group
1 The permissions that can be assigned on the group
Sign in Have a look to that as it will explain to you more:
to vote
Group Group can include as members… Group can be assigned permissions in…
scope
Global Accounts from the same domain as Member permissions can be assigned in any
the parent global group domain
Domain Accounts from any domain Member permissions can be assigned only
local within the same domain as the parent domain
Global groups from any domain local group
For the use of the groups with different scopes, refer to this Microsoft
article: http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure,
Configuration
Reply | Quote
Mr X INSEAD (MCC, MVP) 150,381 Points
https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 3/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group
I presume Ace Fekay has used examples & picture to explain groups & scope in below link.
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/fa66b5c5-3ed3-4700-b479-
e036577e110b
0
Regards
Sign in
to vote
Awinish Vishwakarma| CHECK MY BLOG
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Reply | Quote
Awinish (Partner) 61,805 Points
All replies
I presume Ace Fekay has used examples & picture to explain groups & scope in below link.
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/fa66b5c5-3ed3-4700-b479-
e036577e110b
0
Regards
Sign in
to vote
Awinish Vishwakarma| CHECK MY BLOG
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Reply | Quote
Awinish (Partner) 61,805 Points
https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 4/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group
Hello,
the first difference is:
Possible members of the group
Possible conversion of the group
1 The permissions that can be assigned on the group
Sign in Have a look to that as it will explain to you more:
to vote
Group Group can include as members… Group can be assigned permissions in…
scope
Global Accounts from the same domain as Member permissions can be assigned in any
the parent global group domain
Domain Accounts from any domain Member permissions can be assigned only
local within the same domain as the parent domain
Global groups from any domain local group
For the use of the groups with different scopes, refer to this Microsoft
article: http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure,
Configuration
Reply | Quote
Mr X INSEAD (MCC, MVP) 150,381 Points
https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 5/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group
There are three different group scopes; domain local, global and universal. The scope decides who can
be member of the group and where the group can be used. These are the three group scopes and a
"Can Contain Matrix" for each:
1. Domain Local Groups: These groups are only visible in their own domain. For that reason, domain
5 Local Security groups can be used to grant rights and permissions only on resources that reside in the
Sign in same domain where the domain local group is located. Domain local groups can contain domain local
to vote groups only from the same domain, but users, computers and all other group-types from the same
domain and trusted domains (all domains in the forest). Use domain local groups for assigning
permissions to resources in their home domain.
CAN CONTAIN: Domain Local Groups from the own domain, Global Groups from trusted domains and
any domain in the forest, Universal groups from trusted domains and any domain in the forest.
2. Global Groups: These groups are visible through-out the forest, but can only contain accounts and
global groups from the same domain. The group itself can be a member of universal and domain local
groups in any domain, and global groups of its own domain. The groups should be used to organize
users who share the same job tasks or department etc. You should not assign permissions directly to
global groups – domain local groups are more appropriate for that.
CAN CONTAIN: Global Groups from the OWN domain.
3. Universal groups: These groups are visible through-out the forest and can contain accounts, global
groups and other universal groups from any domain in the forest (they cannot contain domain local
groups). Universal groups should be used to nest global groups. By doing that, the group can assign
permissions to resources in multiple domains.
CAN CONTAIN: Global Groups from any domain in the forest, Universal Groups from any domain in
the forest.
Reply | Quote
Jesper Stahle Avanade (Partner) 165 Points
Hi ,
Here is my thoughts on this..
Domain Local- You can add members from any domain in your forest but you can give them access
to the resources which are available only in the domain where you create this DL.
3
Global- You can add members only from the domain where you create this DL, and this DL can be
Sign in
to vote given acess to any resources in any other domains in the forest.
For ex, you have Domain A and B. Your users in domain A , need to access a resource in Domain B.
How to accomplish this?
From your domain A ,create a Global DL--- create a Domain Local DL in domain B. Add the Domain
'A's Global DL as a member to the Domain B's Domain Local Group.. Give access to the resource in
Domain B. It's done..
Universal- Add members from any domain, access resources in any domain of the forest.
Hope it helps.. :)
Reply | Quote
Server Engineer 1,995 Points
https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 6/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group
I presume Ace Fekay has used examples & picture to explain groups & scope in below link.
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/fa66b5c5-3ed3-4700-b479-
e036577e110b
0
Sign in
to vote
Regards
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.
The example given by Ace is very good! It helps me very much. Thank you Awinish!
Regards
Reply | Quote
Awinish (Partner) 61,805 Points
Thanks Mr. Mohan. its really helpful. specially the example. keep it up. gud luck
0 Reply | Quote
Unic0rn1 5 Points
Sign in
to vote
i am confused that can we use universal group to assign permission in a trusted forest and can we add
members from trusted forest to domain local group?
https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 7/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group
0 Reply | Quote
Sign in
Ludvig.S Independent IT Consultant 50 Points
to vote
I realize I'm showing up late for the party and this thread was answered, however I wanted to offer my
blog with a good explanation on how tighs whole mess works with an easy to follow example:
Using Group Nesting Strategy - AD Best Practices for Group Strategy
Published by acefekay on Jan 6, 2012 at 10:34 PM
0 http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-
Sign in practices-for-group-strategy.aspx
to vote
.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Reply | Quote
Ace Fekay [MCT] SAP America (Newtown Squ... (MCC, Partner, MVP) 50,489 Points
Reply | Quote
Jazz125 Informa Plc 0 Points
https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 8/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group
You can use groups in any manner that you want as long as you are able to add that group to a
resource's ACL. My blog provides a "best practice" explanation on how the groups were meant to be
used by the Microsoft engineers who designed this whole thing. You don't have to follow
their recommendations to achieve the same result, matter of fact many in the industry do not folllow
it and simply do what you're proposing, however, as you grow and hundreds of users are added over
time, you will find that it becomes difficult to keep track of who's in what groups and has what access
to where based on not starting out with the recommendations. I've seen this in more than one
installation where they started out as a 15 user system and have grown exponentially. That's why if
you follow the best practice methods, it makes it much easier to keep track, whether you have a 40
user system, or a 4000 user system.
It's up to you how you want to use groups.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Reply | Quote
Ace Fekay [MCT] SAP America (Newtown Squ... (MCC, Partner, MVP) 50,489 Points
Hi Mohan ,
It's Really an good explanation and simple one ......keep posting these kind of good
solutions...
Regards
0
S.Nithyanandham
Sign in
to vote
Reply | Quote
Nithyanandham 9,295 Points
Newsletter | Contact Us | Privacy Statement | Terms of Use | Trademarks | Site Feedback © 2018 Microsoft. All rights reserved.
https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 9/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group
https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-… 10/10