Domain Local Vs Global Vs Universal

While there is no requirement to create any particular type of group in active directory at iu uits recommends that global or universal groups be used in all cases.

Domain local vs global vs universal. Intended for use on objects not directly in ad such as file shares printer queues etc. Domain global groups can be a member of domain local groups and domain universal groups in any domain. The global scope can contain user accounts and global groups from the same domain and can be a member of universal and domain local groups in any domain. A global group can be used to assign permissions for access to resources in any domain.

Domain local permissions can be assigned only in the local domain. Hey guys i am hoping someone could help me out with a problem i am having. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located. Domain local grop is a security or distribution group that can contain universal groups global groups other domain local groups from its own domain and accounts from any domain in the forest.

We will call them domain a and domain b full transitive trust between the domains 2. Domain local groups also have a scope that extends to the local domain and are used to assign permissions to local resources. Use domain global groups to organize users who share similar access requirements and make them member of the domain local groups you use to grant access to resources. 2 forests and 2 domains.

The universal scope can contain user accounts universal groups and global groups from any domain. Should not be used to assign permissions on ad global. The scope can be a member of domain local or universal groups in any domain. Members can be from any domain in the forest.