1.1.1.4.1 Group Scope

The scope of a group can be local or global depending on the portion of the network in which the group is granted rights and permissions. Starting with Windows 2000 operating system, Windows provides four levels of scope for security groups:

Universal groups: These groups can contain members for any domain and can be granted permissions to resources in any domain in a specific Active Directory forest. An Active Directory forest is a collection of one or more Active Directory domains that share a common logical structure, directory schema, and network configuration, as well as automatic two-way transitive trust relationships. Each forest is a single instance of the directory and defines a security boundary. For more information, see How Domains and Forests Work [MSFT-DomainForest]. Universal groups can contain user accounts, global groups, and universal groups from any domain in the current forest. An administrator can create a universal group only when the domain is in native mode and not in mixed mode.

Domain global groups: These groups contain members only from their own domain but can be granted permissions to resources in any trusting domain. In Windows NT operating system, global groups are created on DCs and exist in the domain directory database.

Domain local groups: These groups can contain members from any trusted domain, but are granted permissions only to resources in their own domain. A domain administrator can create a domain local group for each resource that exists within a domain, such as file shares or printers, and then add the appropriate global groups from each domain to this domain local group. The domain administrator then assigns the appropriate permissions for the resources to the domain local group.

Local groups: A local group can exist only within the local security database of the computer where it is created. A local group can contain user accounts that are local to the computer and user accounts and global groups from their own domain. This allows the member system to manage its resources in the manner most relevant to it and not be completely dependent on the decisions of the domain administrator. A local group can be granted permissions to resources only on the computer where the local group was created. The Local Users and Groups Microsoft Management Console (MMC) is used to create local groups on a computer.

A local group that is created with Windows NT Workstation operating system can be granted permissions only to resources on the computer where it was created. A local group that is created with a Windows NT Server operating system DC can be granted permissions only to resources on the DCs of its own domain. Network administrators of enterprise-level Windows NT networks can use a resource-access strategy called AGLP to plan and implement local groups in their network. AGLP organizes accounts by placing them in global groups, which are then placed in local groups that have appropriate permissions and rights assigned to them.

Beginning with Windows 2000 Server operating system, the scope of a group can be changed. For example, global groups that are not members of other global groups can be converted to universal groups. Domain local groups that do not contain other domain local groups can be converted to universal groups.