Group Scopes in Active Directory

Group Scopes in Active Directory

We have three group scopes in Active Directory

Universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. We can give universal security groups rights and permissions on resources in any domain in the forest.Universal group membership is replicated to all Global Catalogs. This can be beneficial, but has its drawbacks. Universal Groups take up 40 bytes if the groups are from another domain than then user resides in, if the Universal Group and the user resides in the same domain it takes up to 8 bytes in the token.

Global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, we can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain. Global Groups always takes up to 8 bytes in the token.

Domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. We can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located. domain local groups do not have any limitations regarding their membership – they can contain accounts the same domain/forest or any trusted domain/forest. This does not apply to domain global groups or universal groups. Domain Local Groups always takes up to 40 bytes.

Related Posts

Responses are currently closed, but you can trackback from your own site.

Comments are closed.

Powered by k2schools