In Active Directory, what are the differences between universal, global, and domain local groups?
Note: The following information is intended for
registered local support providers (LSPs) at Indiana
University. If you are an LSP and have questions regarding the
information in this document, contact LSP Services at
lsps@iu.edu ; otherwise, contact your campus
Support Center.
Domain local, global, and universal are group scopes, which allow you to use groups in different ways to assign permissions. The scope of a group determines from where in the network you can assign permissions to the group.
Domain local groups
Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.
The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.
Global groups
Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.
Note: Groups created in the Active Directory at Indiana University should be global groups. Since there is a single ADS Domain at IU, this is the most appropriate group to use.
Universal groups
Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available only in native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain.
Note: Though it is possible to create universal groups in the Active Directory at IU, it is unnecessary because the ADS at IU is a single domain. Global groups are preferable because they use fewer resources.
Also see:
- At IU, what naming conventions are recommended for Windows computers and groups?
- In Windows 2000 or XP, how do I share a folder, printer, or drive on the network?
- In Microsoft Active Directory, what are security and distribution groups?
- In the IU Active Directory, how do I create groups?
- In the IU Active Directory, how do I manage groups?
- At IU, in the ADS Domain, how should I search for users, groups, computers, and other ADS objects?
- In Windows 2000, why can't I remove an ADS user account from a local group?
- In IU's Active Directory, what is the correct way to rename groups?
- On a computer, what are administrators and administrative rights?
Last modified on March 07, 2007.
