What are the differences between Universal, Global, and Domain Local Group Scopes

Here is a broad description of the various scopes of Active Directory Groups.

Universal Groups: Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. 

Provide a simple ‘does everything’ group suitable mainly for small networks. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely. Changes in membership will impose global catalog replication throughout an entire enterprise.

Global Groups: Global security groups are most often used to organize users who share similar network access requirements. Provide domain-centric membership, place all user accounts into Global groups. Global groups can be nested within other Global groups, this can be particularly useful when delegating OU administrative functionality. 

It can be useful to give each Global group a name that is meaningful to the staff involved, i.e. matching the name of a Team or a Project, particularly if the group is also to be used as an email distribution list.

1. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain.
2. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.

Domain Local Groups: Often used to assign permissions for access to resources. I.e. direct assignment or access (permissions) on files and printer etc.

It can be useful to give each Domain Local group a name that is meaningful to the IT Operations team e.g. if a group assigns rights to a shared folder on a specific server then the group name might include a prefix or suffix indicating the server name.

1. You can assign these permissions only in the same domain where you create the Domain Local Group. Members from any domain may be added to a domain local group.
2. The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.

Local groups: Stored on the local SAM (Local Computer) use for security settings that apply just to this one machine. Local groups will work even if the network becomes unavailable, e.g. during a disaster recovery exercise.

Types of Groups:
1. Security Groups: are used to control access to resources.
Security groups can also be used as email distribution lists.

2. Distribution Groups: Can be used only for email distribution lists, or simple administrative groupings. Distribution groups cannot be used for access control because they are not “security enabled.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Buy me a coffeeBuy me a coffee

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x