The scope of a group identifies the extent to which the group is applied throughout the domain tree or forest. There are four group scopes: local groups, domain local groups, global groups, and universal groups.
• Local groups can contain user accounts from the local machine, user accounts from the domain the local machine is joined to, or user accounts from any trusted domains of the domain the computer is joined to. Only local groups can manage permissions for local resources.
• Domain local groups can include other groups and user and/or computer accounts from Windows Server 2003, Windows 2000 Server, and Windows NT domains. Permissions for only the domain in which the group is defined can be assigned to domain local groups. Thus, domain local groups can be used to manage access to resources within a domain.
• Global groups can include other groups and user and/or computer accounts from only the domain in which the group is defined. Permissions for any domain in the forest can be assigned to global groups. Global groups are not replicated beyond the boundaries of their own domains, thus changes can be made to global group members without creating large amounts of replication traffic to the Global Catalog servers. Permissions and user rights that are assigned to global groups are only valid in the domain in which they are assigned.
• Universal groups can include other groups and user and/or computer accounts from any domain in the domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to universal groups. Universal groups are only available if your domain functional level is set to the Windows 2000 native domain functional level. Universal groups are best used to consolidate global groups into one location. Since user accounts are added to the global groups, membership changes in the global groups do not have an effect on the universal group.
Was this article helpful?