ARCHIVED: In Active Directory, what are the differences between universal, global, and domain local groups?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Note: This information is intended for registered local support providers (LSPs) at Indiana University. If you are an IU LSP and have questions regarding this content, email UITS Tier 2 Support; otherwise, contact your campus Support Center.

Domain local, global, and universal are group scopes, which allow you to use groups in different ways to assign permissions. The scope of a group determines from where in the network you can assign permissions to the group.

Domain local groups

Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.

The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.

Global groups

Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.

Universal groups

Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available only in native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain.

Note: While there is no requirement to create any particular type of group in Active Directory at IU, UITS recommends that Global or Universal groups be used in all cases. Universal groups are required for mail-enabled groups (distribution lists).

This is document ahrl in the Knowledge Base.
Last modified on 2021-09-07 17:14:54.