Dating to the early days of Windows NT is a discussion of what group scope to choose when creating a new group in Active Directory. There are a plethora of acronyms and time tested practices that administrators sometimes turn to, but, I usually recommend a simple approach. In many organizations, I suggest that the time spent debating this topic could be better focused somewhere more important.
There are three group scopes available:
-
Domain Local
-
Global
-
Universal
The scope primarily affects four things:
-
The exposure of the group across trusts, and the ability to add group members from other domains or forests.
-
The number of bytes the group consumes in the user’s logon token. This is important in large organizations that have token bloat problems.
-
In large highly-distributed multi-domain forests that have domain controllers dispersed around the world, and replication traffic poses a network concern, universal group membership changes are replicated to every global catalog.
-
In multi-domain forests, if every domain controller is not a global catalog, logon will fail (by default) if a global catalog cannot be contacted during the logon attempt.
In order to understand how the scope of a group affects your ability to nest groups (that is, make one group a member of another group), first study the rules for whether or not a group from one domain can be used in another domain:
-
Domain local – only useable within the domain that the group was created in. Cannot be accessed via a trust.
-
Global – useable in the domain the group was created in, or in any domain that trusts the domain the group is in.
-
Universal – useable in the domain the group was created in, or in any domain or forest that trusts the domain the group is in.
As you consider the rules above, you can see why you cannot nest a Domain Local group in a Global or Universal group. Simply put, Global and Universal group membership is accessible across trusts, but domain local group membership is not. So, if you were to nest a Domain Local group in a Global or Universal group, the full group membership would not be accessible across the trust. Fortunately, Active Directory enforces these rules for us. You can keep track of these rules by referencing the table below:
|
Group scope |
Can contain users and computers from |
Can contain domain local groups from |
||
|
Same domain |
Different domain |
Same domain |
Different domain |
|
|
Domain local groups |
Yes |
Yes |
Yes |
No |
|
Domain global groups |
Yes |
No |
No |
No |
|
Universal groups |
Yes |
Yes |
No |
No |
The next table highlights the rules that apply to global and universal groups.
|
Group scope |
Can contain domain global groups from |
Can contain universal groups from |
||
|
Same domain |
Different domain |
Same domain |
Different domain |
|
|
Domain local groups |
Yes |
Yes |
Yes |
Yes |
|
Domain global groups |
Yes |
No |
No |
No |
|
Universal groups |
Yes |
Yes |
Yes |
Yes |