8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group

United States (English) Sign in

Search Windows with Bing

Home Windows 10 Windows 10 Mobile Previous versions MDOP Surface Surface Hub Library Forums

Ask a question Search related threads Search forum questions

Quick access

Active Directory Group Scope - Local

Answered by:

165 Domain, Global Group, Universal Group

Points
Top 10%

Windows Server > Directory Services

Jesper Stahle
Partner Joined May 2008
Question
Jesper Stahle's thr…

6 Show activity Hello gurus,

I know there have been enough articles about the difference of these 3 group scopes on the Internet,
but I still can't understand the difference between them. Can someone here be kind enough to explain
them in the simplest way with examples, please? Thank you in advance.
1
Sign in Thank you, msdn =) 99.9% of my questions have been answered :D
to vote

Monday, May 9, 2011 7:35 AM

Reply | Quote OneWay85 190 Points

Answers

https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 1/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group

There are three different group scopes; domain local, global and universal. The scope decides who can
be member of the group and where the group can be used. These are the three group scopes and a
"Can Contain Matrix" for each:
1. Domain Local Groups: These groups are only visible in their own domain. For that reason, domain
5 Local Security groups can be used to grant rights and permissions only on resources that reside in the
Sign in same domain where the domain local group is located. Domain local groups can contain domain local
to vote groups only from the same domain, but users, computers and all other group-types from the same
domain and trusted domains (all domains in the forest). Use domain local groups for assigning
permissions to resources in their home domain.
CAN CONTAIN: Domain Local Groups from the own domain, Global Groups from trusted domains and
any domain in the forest, Universal groups from trusted domains and any domain in the forest.
2. Global Groups: These groups are visible through-out the forest, but can only contain accounts and
global groups from the same domain. The group itself can be a member of universal and domain local
groups in any domain, and global groups of its own domain. The groups should be used to organize
users who share the same job tasks or department etc. You should not assign permissions directly to
global groups – domain local groups are more appropriate for that.
CAN CONTAIN: Global Groups from the OWN domain.
3. Universal groups: These groups are visible through-out the forest and can contain accounts, global
groups and other universal groups from any domain in the forest (they cannot contain domain local
groups). Universal groups should be used to nest global groups. By doing that, the group can assign
permissions to resources in multiple domains.
CAN CONTAIN: Global Groups from any domain in the forest, Universal Groups from any domain in
the forest.

Jesper Ståhle MCT, MCITP:EA+EST, MCSA+M

Edited by Jesper Stahle Monday, May 9, 2011 7:49 AM Text Formatting

Marked as answer by OneWay85 Monday, May 9, 2011 5:10 PM

Monday, May 9, 2011 7:45 AM

Reply | Quote
Jesper Stahle Avanade (Partner) 165 Points

Hi ,
Here is my thoughts on this..
Domain Local- You can add members from any domain in your forest but you can give them access
to the resources which are available only in  the domain where you create this DL.
3
Global- You can add members only from the domain where you create this DL, and this DL can be
Sign in
to vote given acess to any resources in any other domains in the forest.
For ex, you have Domain A and B. Your users in domain A , need to access a resource in Domain B.
How to accomplish this?
From your domain A ,create a Global DL--- create a Domain Local DL in domain B. Add the Domain
'A's Global DL as a member to the Domain B's Domain Local Group.. Give access to the resource in
Domain B. It's done..
Universal- Add members from any domain, access resources in any domain of the forest.
Hope it helps.. :)

Regards, Mohan R Sr. Administrator - Server Support

Marked as answer by OneWay85 Monday, May 9, 2011 5:11 PM

Monday, May 9, 2011 11:45 AM

Reply | Quote
Server Engineer 1,995 Points

https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 2/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group

Hello,
the first difference is:
Possible members of the group
Possible conversion of the group
1 The permissions that can be assigned on the group
Sign in Have a look to that as it will explain to you more:
to vote
Group Group can include as members… Group can be assigned permissions in…
scope

Universal Accounts from any domain within Any domain or forest

the forest in which this Universal
Group resides

Global groups from any domain

within the forest in which this
Universal Group resides

Universal groups from any domain

within the forest in which this
Universal Group resides

Global Accounts from the same domain as Member permissions can be assigned in any
the parent global group domain

Global groups from the same

domain as the parent global group

Domain Accounts from any domain Member permissions can be assigned only
local within the same domain as the parent domain
Global groups from any domain local group

Universal groups from any domain

Domain local groups but only from

the same domain as the parent
domain local group

For the use of the groups with different scopes, refer to this Microsoft
article: http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure,
Configuration

Proposed as answer by Meinolf Weber Monday, May 9, 2011 10:45 AM

Marked as answer by OneWay85 Monday, May 9, 2011 5:10 PM

Monday, May 9, 2011 7:43 AM

Reply | Quote
Mr X INSEAD (MCC, MVP) 150,381 Points

https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 3/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group

I presume Ace Fekay has used examples & picture to explain groups & scope in below link.
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/fa66b5c5-3ed3-4700-b479-
e036577e110b

0
Regards  
Sign in
to vote
Awinish Vishwakarma| CHECK MY BLOG

Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Marked as answer by OneWay85 Monday, May 9, 2011 5:03 PM

Monday, May 9, 2011 7:41 AM Moderator

Reply | Quote
Awinish (Partner) 61,805 Points

All replies

I presume Ace Fekay has used examples & picture to explain groups & scope in below link.
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/fa66b5c5-3ed3-4700-b479-
e036577e110b

0
Regards  
Sign in
to vote
Awinish Vishwakarma| CHECK MY BLOG

Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Marked as answer by OneWay85 Monday, May 9, 2011 5:03 PM

Monday, May 9, 2011 7:41 AM Moderator

Reply | Quote
Awinish (Partner) 61,805 Points

https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 4/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group

Hello,
the first difference is:
Possible members of the group
Possible conversion of the group
1 The permissions that can be assigned on the group
Sign in Have a look to that as it will explain to you more:
to vote
Group Group can include as members… Group can be assigned permissions in…
scope

Universal Accounts from any domain within Any domain or forest

the forest in which this Universal
Group resides

Global groups from any domain

within the forest in which this
Universal Group resides

Universal groups from any domain

within the forest in which this
Universal Group resides

Global Accounts from the same domain as Member permissions can be assigned in any
the parent global group domain

Global groups from the same

domain as the parent global group

Domain Accounts from any domain Member permissions can be assigned only
local within the same domain as the parent domain
Global groups from any domain local group

Universal groups from any domain

Domain local groups but only from

the same domain as the parent
domain local group

For the use of the groups with different scopes, refer to this Microsoft
article: http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure,
Configuration

Proposed as answer by Meinolf Weber Monday, May 9, 2011 10:45 AM

Marked as answer by OneWay85 Monday, May 9, 2011 5:10 PM

Monday, May 9, 2011 7:43 AM

Reply | Quote
Mr X INSEAD (MCC, MVP) 150,381 Points

https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 5/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group

There are three different group scopes; domain local, global and universal. The scope decides who can
be member of the group and where the group can be used. These are the three group scopes and a
"Can Contain Matrix" for each:
1. Domain Local Groups: These groups are only visible in their own domain. For that reason, domain
5 Local Security groups can be used to grant rights and permissions only on resources that reside in the
Sign in same domain where the domain local group is located. Domain local groups can contain domain local
to vote groups only from the same domain, but users, computers and all other group-types from the same
domain and trusted domains (all domains in the forest). Use domain local groups for assigning
permissions to resources in their home domain.
CAN CONTAIN: Domain Local Groups from the own domain, Global Groups from trusted domains and
any domain in the forest, Universal groups from trusted domains and any domain in the forest.
2. Global Groups: These groups are visible through-out the forest, but can only contain accounts and
global groups from the same domain. The group itself can be a member of universal and domain local
groups in any domain, and global groups of its own domain. The groups should be used to organize
users who share the same job tasks or department etc. You should not assign permissions directly to
global groups – domain local groups are more appropriate for that.
CAN CONTAIN: Global Groups from the OWN domain.
3. Universal groups: These groups are visible through-out the forest and can contain accounts, global
groups and other universal groups from any domain in the forest (they cannot contain domain local
groups). Universal groups should be used to nest global groups. By doing that, the group can assign
permissions to resources in multiple domains.
CAN CONTAIN: Global Groups from any domain in the forest, Universal Groups from any domain in
the forest.

Jesper Ståhle MCT, MCITP:EA+EST, MCSA+M

Edited by Jesper Stahle Monday, May 9, 2011 7:49 AM Text Formatting

Marked as answer by OneWay85 Monday, May 9, 2011 5:10 PM

Monday, May 9, 2011 7:45 AM

Reply | Quote
Jesper Stahle Avanade (Partner) 165 Points

Hi ,
Here is my thoughts on this..
Domain Local- You can add members from any domain in your forest but you can give them access
to the resources which are available only in  the domain where you create this DL.
3
Global- You can add members only from the domain where you create this DL, and this DL can be
Sign in
to vote given acess to any resources in any other domains in the forest.
For ex, you have Domain A and B. Your users in domain A , need to access a resource in Domain B.
How to accomplish this?
From your domain A ,create a Global DL--- create a Domain Local DL in domain B. Add the Domain
'A's Global DL as a member to the Domain B's Domain Local Group.. Give access to the resource in
Domain B. It's done..
Universal- Add members from any domain, access resources in any domain of the forest.
Hope it helps.. :)

Regards, Mohan R Sr. Administrator - Server Support

Marked as answer by OneWay85 Monday, May 9, 2011 5:11 PM

Monday, May 9, 2011 11:45 AM

Reply | Quote
Server Engineer 1,995 Points

https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 6/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group

I presume Ace Fekay has used examples & picture to explain groups & scope in below link.
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/fa66b5c5-3ed3-4700-b479-
e036577e110b
0  
Sign in  
to vote
Regards  

Awinish Vishwakarma| CHECK MY BLOG

Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

The example given by Ace is very good! It helps me very much. Thank  you Awinish!

Thank you, msdn =) 99.9% of my questions have been answered :D

Monday, May 9, 2011 5:04 PM

Reply | Quote OneWay85 190 Points

Thank you all for being so helpful, much appreciated :)

Thank you, msdn =) 99.9% of my questions have been answered :D

0 Monday, May 9, 2011 5:11 PM

Sign in
to vote Reply | Quote OneWay85 190 Points

Pleasure to help you..:)

Regards  

0 Awinish Vishwakarma| CHECK MY BLOG

Sign in
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.
to vote

Tuesday, May 10, 2011 1:59 AM Moderator

Reply | Quote
Awinish (Partner) 61,805 Points

Thanks Mr. Mohan. its really helpful. specially the example. keep it up. gud luck

Tuesday, May 17, 2011 10:52 AM

0 Reply | Quote
Unic0rn1 5 Points
Sign in
to vote

i am confused that can we use universal group to assign permission in a trusted forest and can we add
members from trusted forest to domain local group?

Tuesday, May 17, 2011 11:50 AM

0
Sign in Reply | Quote
to vote
Abhay Tyagi Adore Infotech Pvt. Ltd. 45 Points

https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 7/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group

So, which 0.01% is left? :-)

Thursday, January 17, 2013 8:36 PM

0 Reply | Quote
Sign in
Ludvig.S Independent IT Consultant 50 Points
to vote

I realize I'm showing up late for the party and this thread was answered, however I wanted to offer my
blog with a good explanation on how tighs whole mess works with an easy to follow example:
Using Group Nesting Strategy - AD Best Practices for Group Strategy
Published by acefekay on Jan 6, 2012 at 10:34 PM
0 http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-
Sign in practices-for-group-strategy.aspx
to vote
.

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.

Friday, January 18, 2013 4:24 AM

Reply | Quote

Ace Fekay [MCT] SAP America (Newtown Squ... (MCC, Partner, MVP) 50,489 Points

Thanks Ace. Just one thing...

Is there any disadvantage in using a Universal Group for assigning rights to a network resource rather
than using a Domain Local Group? Especially, if it's a single-domain forest?
Also, even in say a three domain forest, rather than create three separate domain local groups for
0 resources residing on each domain, could you not use a universal group?
Sign in
to vote Thanks (this is making my head hurt).
Jazz

Tuesday, May 14, 2013 11:02 AM

Reply | Quote
Jazz125 Informa Plc 0 Points

https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 8/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group

Thanks Ace. Just one thing...

Is there any disadvantage in using a Universal Group for assigning rights to a network resource
rather than using a Domain Local Group? Especially, if it's a single-domain forest?
0 Also, even in say a three domain forest, rather than create three separate domain local groups for
Sign in resources residing on each domain, could you not use a universal group?
to vote
Thanks (this is making my head hurt).
Jazz

You can use groups in any manner that you want as long as you are able to add that group to a
resource's ACL. My blog provides a "best practice" explanation on how the groups were meant to be
used by the Microsoft engineers who designed this whole thing. You don't have to follow
their recommendations to achieve the same result, matter of fact many in the industry do not folllow
it and simply do what you're proposing, however, as you grow and hundreds of users are added over
time, you will find that it becomes difficult to keep track of who's in what groups and has what access
to where based on not starting out with the recommendations. I've seen this in more than one
installation where they started out as a 15 user system and have grown exponentially. That's why if
you follow the best practice methods, it makes it much easier to keep track, whether you have a 40
user system, or a 4000 user system.
It's up to you how you want to use groups.

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.

Tuesday, May 14, 2013 1:11 PM

Reply | Quote

Ace Fekay [MCT] SAP America (Newtown Squ... (MCC, Partner, MVP) 50,489 Points

Great, thanks for confirming so quickly Ace! Much appreciated.

Edited by Jazz125 Tuesday, May 14, 2013 2:39 PM

0 Tuesday, May 14, 2013 2:35 PM
Sign in
to vote Reply | Quote
Jazz125 Informa Plc 0 Points

Hi Mohan ,
                  It's Really an good explanation and simple one ......keep posting these kind of good
solutions...
Regards
0
S.Nithyanandham 
Sign in
to vote

Monday, July 8, 2013 5:36 AM

Reply | Quote
Nithyanandham 9,295 Points

Newsletter | Contact Us | Privacy Statement | Terms of Use | Trademarks | Site Feedback © 2018 Microsoft. All rights reserved.

https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-gl… 9/10
8/11/2018 Active Directory Group Scope - Local Domain, Global Group, Universal Group

https://social.technet.microsoft.com/Forums/windows/en-US/58543e21-1a66-4844-aba0-d37740e2248b/active-directory-group-scope-local-domain-… 10/10