We’ve had quite a few questions about the difference between Domain Local Groups, Domain Global groups and Domain Universal groups. So, here we go:
Domain Local groups
Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.
Best practice: use Domain Local Groups to grant access to resources, such as you file systems. The reason being that you can add Domain Global and Domain Universal groups from any domain to a Domain Local group.
Global groups
Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.Best practice: use Domain Global Groups to organize users who share similar access requirements, and make them member of the Domain Local Groups you use to grant access to resources.
Universal groups
Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available only in native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain.Best practice: use Domain Universal Groups when assigning permissions to related resources in multiple domains. Remember, though, that in forests with functional level 2003 or lower Domain Universal Groups are stored in their entirety in the Global Catalog, and are therefore replicated in their entirety across your Domain Controllers when you make one change to them.
So, when to use what scope? First, let me emphasize that Microsoft still insists on the best practices described above.
Differences in the entire range arise from the good old NT4 days, when Microsoft networks consisted only of one domain. NT4 knew only local domain groups and global domain. Global groups where they were created to support Active Directory and cross-domain membership, and in the early days they came at a price. Global groups are stored in the global catalog, and if you change them, let's say by adding a member, the entire group is copied over your active directory (basically, all members are sent over the line to all global catalog servers, because group membership is stored as an attribute value in Its members).
But things have changed since Forest Functional Level 2003 started, because since then only the changes are replicated, which significantly reduces the cost of using global domain groups.
So, if your hardware and network bandwidth is "reasonable" across the board (you don't have Global Catalog servers behind very slow network connections), you no longer need to give up using Universal Groups exclusively.
There is one thing you should not do, though: Do not use global domain groups to grant access to resources, for the above reason. You cannot add foreign users or local, global, or global domain groups to the global domain group, so if you create another domain in your forest, you cannot simply add users or groups from this new domain to your current security structure.
Tags
Domain Groups