Tuesday, November 06, 2007

AD Group Scope Basics

Security groups or a distribution groups, are characterized by a scope that identifies how they are applied in the domain tree or forest.

There are three group scopes: universal, global, and domain local.

Universal Groups (type - 2147483640)
Universal groups can include other groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any domain in the domain tree or forest.

Global Groups (type - 2147483646)
Global groups can include other groups and accounts only from the domain in which the group is defined and can be assigned permissions in any domain in the forest.

Domain Local Groups (type - 2147483644)
Domain local groups can include other groups and can be assigned permissions only within a domain.

Functionality Scope
When the domain is set to Windows 2000 native or Windows Server 2003, members of universal groups can include accounts, global groups, and universal groups from any domain.
Global groups can include accounts and global groups from the same domain. Domain local scope can include accounts, global groups, and universal groups from any domain, as well as domain local groups from the same domain.

Groups can be added to other groups and assigned permissions in any domain. Groups can be added to other domain local groups and assigned permissions only in the same domain.

Groups can be converted to domain local scope, to global scope, as long as no other universal groups exist as members. Groups can be converted to universal scope, as long as the group is not a member of any other group with global scope. Groups can be converted to universal scope, as long as the group does not have as its member another group with domain local scope.

When the domain level is set to Windows mixed, security universal groups cannot be created. Global groups can include accounts from the same domain. Domain local groups can include accounts and global groups from any domain.

Domain Local Scope Use
Groups with domain local scope help you define and manage access to resources within a single domain.

Global Scope Use
Use groups with global scope to manage directory objects that require daily maintenance, such as user and computer accounts because groups with global scope are not replicated outside of their own domain.

Universal Scope Use
Use groups with universal scope to consolidate groups that span domains. Add the accounts to groups with global scope and nest these groups within groups having universal scope. Any membership changes in the groups having global scope do not affect the groups with universal scope.
Groups with universal scope should not be changed frequently, since any changes to these group memberships cause the entire membership of the group to be replicated to every global catalog in the forest.

Changing Group Scope
Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.
Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.
Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.
Universal to domain local. No restrictions for this operation.

2 comments:

  1. Well written article.

    ReplyDelete
  2. Anonymous7:01 AM

    thank you for this article, it helped me out a lot in concern to the numbers and how they designate what type of group (universal/local domain/global)

    ReplyDelete

Note: Only a member of this blog may post a comment.