Domain Local Global Best Practice

The table below was taken straight from microsoft technet and it gives the whole story of the rules for group scope.

Domain local global best practice. The difference between domain local and global groups is that user accounts global groups and universal groups from any domain can be added to a domain local group. Each group scope defines the possible members a group can have and where the group s permissions can be applied within the domain. Domain global groups can be a member of domain local groups and domain universal groups in any domain. Use domain global groups to organize users who share similar access requirements and make them member of the domain local groups you use to grant access to resources.

The managers and directors across various departments who own the content within a certain group can be empowered to manage who has access to the group. The global group will have the same level of access to the resource that the domain local group has. The short answer as best practice. 5 try to use nested groups rather than adding same user computer account into multiple groups.

It professionals don t need to be the ones in charge of group management. So register a public dns name so you own it. Universal global and domain local. Domain local groups also have a scope that extends to the local domain and are used to assign permissions to local resources.

4 avoid using universal groups. Global groups full of users are added to those domain local groups for permissions you or the next admin after you re gone will know and be in complete control of who s got what access to what resource.