Group Scope in Active Directory
Active directory is a large topic yet one theme is consistent throughout the entire system, and that is the concept of Group Scope and Group Types. In the most generic form, we have four types of group scope and two types of groups. This would be local, domain local, global, and universal for group scope while the group types consist of security groups and distribution groups. Security groups are what handle rights and resource permissions whereas distribution groups are used to group together like users such as for a distribution list in Microsoft Exchange. A key component of groups in active directory is nesting groups within other groups to simplify administration. It’s important to know what types of groups can contain other types of groups so let’s take a look at what these are for now.
Local groups are used for the purpose of assigning local computer rights and resource permissions. Local groups can contain domain local groups from the same domain as well as global groups from a trusted external domain. Local groups can also contain universal or global groups from any domain in the forest. A key thing to remember with local groups is that they are used on the local computer only.
Domain Local Groups
Domain local groups are quite common in the Active Directory world and are mainly used to assign rights and resource permissions within the Domain. Domain local groups can contain global groups from a trusted external domain, domain local groups from the same domain, and global or universal groups from any domain in the forest. You would use domain local groups in the local domain only.
The workhorse of the groups is the global group. Global groups are very flexible in that they are used to collect users in the network with similar characteristics such as job role, location, and department. Rights and resource permissions are controlled with global groups in the same or a trusted forest. Global groups can contain users or computers from the same domain or other global groups from the same domain.
Often times found within larger networks in which there is a large forest or trusted domain, universal groups can be used on any domain in the forest. The purpose of universal groups is similar to both global and domain local, but membership is listed in the global catalog for easy lookup. Universal groups are also used to greatly simplify rights and resource control among multiple global groups across a large network via group nesting. Universal groups can contain users, computers, global groups, or universal groups from any domain in the forest. They are the mac daddy of groups in active directory.