Help understanding Group Scopes

xkaijinxxkaijinx Member Posts: 90 ■■□□□□□□□□
Hi all, I am very confused on understanding each of the group scopes: Global, Domain local, and Universal

My current understanding is...

Global - Can only use user/group accounts from the same domain, yet these can access resources throughout all domains in the forest
Domain Local - Can only use user accounts from same domain, but can use groups from any domain in the forest. Can only use resources in the same domain it exists
Universal - Can use user/group accounts from any domain in the forest, can use resources from anywhere in the forest.

Just still feel hazy on this, any tips much appreciated!


  • Options
    jmritenourjmritenour Member Posts: 565
    Almost - domain local can include accounts as well as groups from any domain in the forest.

    It sounds over complicated, but best design is to place accounts into global groups in their respective domain, then place the global groups from the different domains into a domain local group in the domain the resource resides. That way, you are keeping accounts in a group that is native to their domain, and only granting access to resources from a group that is native to it's domain.

    Universal groups, when used, should be placed in between the global and domain local group.

    More info, as well as scenarios for the various scopes can be found at Group scope: Active Directory
    "Start by doing what is necessary, then do what is possible; suddenly, you are doing the impossible." - St. Francis of Assisi
Sign In or Register to comment.