1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Difference between Domain Local, Global and Universal Group

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by rpenri, Nov 18, 2011.

  1. rpenri

    rpenri New Member

    Hi, I am trying to comprehend the concept of global scopes and was wondering if anyone would care to explain to me in layman's terms the difference between them.

    This is what I know:

    Domain Local: Domain local groups are used to assign permissions to local
    resources such as files and printers. Members can come from any domain.

    Global: Members of this group can access resources in any domain. Members
    can only come from the local domain.

    Universal: Members can be added from any domain in the forest. Members can
    access resources from any domain. Universal groups are used for managing
    the security across domains. Universal groups can also contain global
    groups. Universal groups are only available in the domains having
    functional level Windows 2000 native or Windows Server 2003.

    So, the question is, when would you be placed into a domain local group, global or universal group? What typical user/role is added a domain local, global or universal group?

    Why put someone in a domain local group, versus global or universal?

    Also, why would you want to convert one group to another? What scenario would require you to do that?

    Last edited: Nov 18, 2011
  2. soundian

    soundian Gigabyte Poster

    Group scope: Active Directory
    Certifications: A+, N+,MCDST,MCTS(680), MCP(270, 271, 272), ITILv3F, CCENT
    WIP: Knuckling down at my new job
  3. TheMagician

    TheMagician Nibble Poster

    Your post covers loads of questions. The technet article above will no doubt go into great detail.

    But in reference to your particular point above. It is advised that if the situation requires a Universal group, then users are placed in global groups and that global group is then nested in a universal group. The idea being to cut down on replication traffic when changes are made to the universal groups membership.

    Microsoft is a big fan of the AGDLP for access control purposes. AGDLP - Wikipedia, the free encyclopedia worth a read.
    Certifications: MCSA 2012, MCITP: EA, SA, ITIL
  4. Shinigami

    Shinigami Megabyte Poster

    Improvements have been brought to Universal Group replication if you're using the latest OS for your Directory Services. It no longer requires replicating all members of the group if you add another one.

    Microsoft recommendation these days is to try and move to Universal Groups and many of the latest products will in fact create Universal Groups by default when you extended the Schema or start an installation of the product in question (say Exchange 2010).
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  5. onoski

    onoski Terabyte Poster


    That is absolutely true as the groups I created at work automatically default to global group. Thanks for the clarification:)
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  6. rpenri

    rpenri New Member

    Okay, thanks all for the replies. I will read the article from the link and try to digest it. Hopefully, it can give me a better understanding of it because the book I'm reading now doesn't delve too much into the specifics of group scopes.

    Thanks to the Magician for clearing up the little detail over what the purpose is...I didn't know or realize that replication is the main issue. Thanks to Soundian for the link...sometimes just Googling stuff doesn't help because without knowing the correct search term or whatever, it's hard to find information that will help answer your questions.

    I'm reading a 2003 Server book, but only to cover the old technology before reading stuff on the newer tech.

  7. soundian

    soundian Gigabyte Poster

    No problem dude. I doubt anyone will run in to your office and shout "Quick, we need to change this Global Group to a Domain local Group ASAP or people are going to die!". However they do need to test us n00bs on something which shows some sort of understanding of the structure. I actually have those pages printed out and they travel with me to work every day.

    Pity I never remember I have them until about 3 minutes from my stop.
    Certifications: A+, N+,MCDST,MCTS(680), MCP(270, 271, 272), ITILv3F, CCENT
    WIP: Knuckling down at my new job

Share This Page