Universal Group: can contain users and groups (global and universal) from any domain in the forest. Universal groups do not care about trust. Universal groups can be a member of domain local groups or other universal groups but NOT global groups.

It is available to any domain in the forest.

Global Group: can contain users, computers and groups from same domain but NOT universal groups. Can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.

Global group might also be called as “Account group”. They exists in same domain as the(mostly user) accounts they contain, and can be grouped/nested among themselves (within their domain)

If role based access control used, usually a global group is created and user that requires access is placed into the group. This global group is placed into domain local group and  and given access to the resource.

Domain Local Group: Can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups frm the same domain. Can be a member of any domain local group in the same domain.

Domain local group might also be called “Permission Groups”. This is used to assign role, access to the object. It cannot be used outside the domain.

Leave a Reply

Your email address will not be published.