Group Scopes in Active Directory

Scope is the range that a group will extend over a domain, tree, and forest. The scope is used to determine the level of security that will apply to a group, which users can be added to its membership, and the resources that they will have permission to access.As we'll discuss in the sections that follow, Active Directory provides three different scopes for groups:

Universal

Universal groups have the widest scope of any of the different group scopes. Members of this group are able to contain accounts and groups from any domain in the forest, and can be assigned permissions to resources in any domain in the forest. In other words, it is all encompassing within any part of the forest.

Whether a universal security group can be used depends on the functional level that the domain has been set to. Domains that have the functional level set to Windows 2000 mixed won't allow universal security groups to be created. However, if the domain functional level is Windows 2000 native or Windows Server 2003, then universal security groups can be created. In this situation, the group can contain user accounts, global groups, and universal groups from any domain in the forest, and be assigned permissions to resources in any domain. Universal distribution groups can be used at any functional level, including Windows 2000 mixed.

Universal groups can be converted to groups with a lesser scope. Providing the group doesn't contain any universal groups as members, a universal group can be converted to a global group or a domain local group. If universal groups are members of the universal group that's being converted, you won't be able to perform the conversion until these members are removed.

Universal groups are stored in the GC, along with their membership lists. Because of this, any change in membership triggers forestwide replication. To limit the impact of this type of replication, Microsoft recommends using relatively static members (such as global groups) in these groups.

Global groups have a narrower scope than universal groups. A global group can contain accounts and groups from the domain in which it is created, and be assigned permissions to resources in any domain in a tree or forest. Because it only applies to the domain in which it's created, this type of group is commonly used to organize accounts that have similar access requirements.

As we saw with universal groups, however, the members that can be part of a global group depend on the domain functional level. If the functional level of the domain is set to Windows 2000 mixed, then the membership of a global group can only consist of user accounts from the same domain. If the functional level of the domain is set to Windows 2000 native or Windows Server 2003, then the global group can have user accounts and other global groups from the same domain as members. User accounts and global groups from other domains cannot become members of a global group.

Note

Global

Global groups can also be converted into a universal group, provided that the global group isn't a member of any other global groups. If other global groups are members of the global group, then these must be removed before the conversion can take place. The domain functional level must be Windows 2000 native or Windows Server 2003 to convert to a universal security group.

Domain Local

Domain local groups also have a scope that extends to the local domain, and are used to assign permissions to local resources. The difference between domain local and global groups is that user accounts, global groups, and universal groups from any domain can be added to a domain local group. Because of its limited scope, however, members can only be assigned permissions within the domain in which this group is created.

As you might expect from the two previous scopes, the abilities of a domain local group depends on the domain functional level. If the functional level is set to Windows 2000 mixed, then the domain local group can only contain user accounts and global groups from any domain. It cannot contain universal groups when Windows Server 2003 is using this level of functionality. If the functional level is set to Windows 2000 native or Windows Server 2003, then the domain local group can contain user accounts and global groups from any domain, as well as universal groups. In addition, it can contain other domain local groups from the same domain. These abilities, however, have no impact on permissions. In all cases, permissions can only be assigned to resources in the local domain.

Domain local groups can be converted to a universal group, provided that there are no other domain local groups in its membership. If the domain local group does have other domain local groups as members, then these must be removed from the membership before a conversion is made.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment