As a System Administrator of a domain, there will obviously be times where you will need to create new security groups for your environment. When creating a new security group, the group scope can sometimes be confusing. Do I pick Domain Local, Global, or Universal? Below I quickly break down what each type can contain and the usage for each security group type.
Domain Local
This type of group can contain:
- User accounts from any domain in the forest or in a trusted forest
- Global or Universal security groups from any domain in the forest or trusted forest
- Other Domain Local security groups from the same domain
This type of groups usage:
- Used for resources in the local domain
Global
This type of group can contain:
- User accounts in the same domain
- Other Global security groups from the same domain
This type of groups usage:
- Used for any domain in the forest or trusted forests
Universal
This type of group can contain:
- User accounts, Global groups, or Universal Groups from any domain in the forest
This type of groups usage:
- Any domain in forest or trusted forest
Recent Comments