Windows Server supports group scoping. The scope of a group determines both the range of a group’s abilities or permissions and the group membership. There are four group scopes.
- Local. You use this type of group for standalone servers or workstations, on domain-member servers that are not domain controllers, or on domain-member workstations. Local groups are available only on the computer where they exist. The important characteristics of a local group are:
- You can assign abilities and permissions on local resources only, meaning on the local computer.
- Members can be from anywhere in the AD DS forest.
- Domain-local. You use this type of group primarily to manage access to resources or to assign management rights and responsibilities. Domain-local groups exist on domain controllers in an AD DS domain, and so, the group’s scope is local to the domain in which it resides. The important characteristics of domain-local groups are:
- You can assign abilities and permissions on domain-local resources only, which means on all computers in the local domain.
- Members can be from anywhere in the AD DS forest.
- Global. You use this type of group primarily to consolidate users who have similar characteristics. For example, you might use global groups to join users who are part of a department or a geographic location. The important characteristics of global groups are:
- You can assign abilities and permissions anywhere in the forest.
- Members can be from the local domain only and can include users, computers, and global groups from the local domain.
- Universal. You use this type of group most often in multidomain networks because it combines the characteristics of both domain-local groups and global groups. Specifically, the important characteristics of universal groups are:
- You can assign abilities and permissions anywhere in the forest similar to how you assign them for global groups.
- Members can be from anywhere in the AD DS forest.
Each group has a scope that identifies the extent to which the group is applied in the domain tree or forest. The scope of a group defines where in the network permissions can be granted for the group. Active Directory defines the following three group scopes:
- Universal
- Global
- Domain Local
Note
In addition to these three scopes, the default groups in the Builtin container have a group scope of Builtin Local. This group scope and group type can't be changed.
The following table describes the three group scopes and how they work as security groups:
| Scope | Possible members | Scope conversion | Can grant permissions | Possible member of |
|---|---|---|---|---|
| Domain Local | Accounts from any domain or any trusted domain Global groups from any domain or any trusted domain Universal groups from any domain in the same forest Other Domain Local groups from the same domain Accounts, Global groups, and Universal groups from other forests and from external domains | Can be converted to Universal scope if the group doesn't contain any other Domain Local group | Within the same domain | Other Domain Local groups from the same domain Local groups on computers in the same domain, excluding built-in groups that have well-known security identifiers (SIDs) |
| Global | Accounts from the same domain Other Global groups from the same domain | Can be converted to Universal scope if the group isn't a member of any other Global group | On any domain in the same forest, or trusting domains or forests | Universal groups from any domain in the same forest Other Global groups from the same domain Domain Local groups from any domain in the same forest, or from any trusting domain |
| Universal | Accounts from any domain in the same forest Global groups from any domain in the same forest Other Universal groups from any domain in the same forest | Can be converted to Domain Local scope if the group isn't a member of any other Universal group Can be converted to Global scope if the group doesn't contain any other Universal group | On any domain in the same forest or trusting forests | Other Universal groups in the same forest Domain Local groups in the same forest or trusting forests Local groups on computers in the same forest or trusting forests |
- 4 views