Group Types and Scopes

There are three types of groups in Active Directory: Universal, Global, and Domain Local.

Use the buttons below to navigate through the lesson

There are two main functions of groups in Active Directory:

1. Gathering together objects for ease of administration.
2. Assigning permissions to  objects or resources within the Directory.

A user – Tom – would like permissions to the resources he needs for his job. So would his colleagues: This is an obviously inefficient way to allocate the resources of a domain. Domain Local Groups provide a solution. A Domain Local Group can be made. It has permissions only for resources within its own domain.

Members added to this group gain all the permissions they need for the resources in this domain. Members added to this group gain all the permissions they need for the resources in this domain. BUT BEFORE YOU START – THINK!

It might be better to add a group of users, rather than the users separately. If the users have been made into a Global Group, then they can be placed into whatever domain local group is required to give them access to the different resources they  might require from time to time. These global groups have no permissions of their own, but can gain them by being members of permission-bearing Domain Local Groups.

These global groups must have members only from the domain in which they were created, but they can be given permissions to resources in other domains in the tree or forest.

While a Domain Local Group can give permissions only for resources in its own domain, it may have members from anywhere in the tree or forest. Universal groups have to be handled carefully. They can be members of any group (including other universal groups) and be given permission to anything in any of the domains in the enterprise. Any user from any domain, or any global or universal group from any domain can be a member of a universal group.

Sites A & B each have a copy of the Global Catalogue. Any changes to it must be replicated to the other site. Replication goes over a link which may be easily swamped, so changes to the GC need to be minimised. Universal groups appear in the global catalogue, so.

1. Use universal groups sparingly.
2. Group member accounts into groups and group groups, so that small changes to an individual account don’t affect the whole Universal group.

Universal Groups

• Can contain users and groups from any domain in the forest except domain local groups.
• Can be given permissions to any object within the forest.
• May be placed in any group in the forest.
• Are replicated in the global catalogue.

Global Groups

• Can contain any domain local groups from the same domain and any global and universal from any domain in the forest.
• Maybe placed in any domain local groups within the same domain.
• Can be given permissions to any resource in the same domain.
• Not stored in the global catalogue.

Group Scope Recommendations

• Domain local groups should be used to assign permissions to an object within a domain.
• The membership and permissions may be changed regularly and as domain local groups are not in the Global Catalogue there is no replication traffic.
• The same applies to Global Groups in that membership changes are not replicated.
• Domain local groups should be used to assign permissions to an object within a domain.
• The membership and permissions may be changed regularly and as domain local groups are not in the Global Catalogue there is no replication traffic.
• The same applies to Global Groups in that membership changes are not replicated.
• Global groups should be used to give permissions to resources.
• Use Universal groups to gather groups together.
• If individual users are placed into universal groups, these users will be listed in the global catalogue.
• Any changes to Domain Local and Global group membership will not be replicated around the global catalogues.
• On the other hand, changes to Universal groups will be replicated, and may have a detrimental effect on WAN bandwidth as replication transfers a considerable amount of data.
• A discussion of groups under non-native mode conditions appears in the Windows help file.