Security Group: Domain Local, global, what is the difference with universal?

It is found that there is a folder node called builtin in Active Directory users and computers in domain controller. the user group types are security group-Domain Local. other types are found, such as global and universal. what is the difference between them?

 

The knowledge scope of this problem belongs to the group scope of Active Directory.

 

Domain Local Group can contain any kind of universal Group, Global Group, other local groups in this domain, and any domain account in this forest.

The local security group can be granted the permission to access resources that exist only in the current domain.

 

Global Group can be used in the domain where it is located, as well as its member servers or workstations, as well as the domain that trusts this domain. In all these places, you can grant the global group permission or make the global group a member of the local group. However, a global group can only contain the user account of its domain.

 

A universal group is a user, group, computer security goup or distribution group that contains any domain in this forest. You can assign permissions to resources in any domain in this forest.

 

When to use domain local scope?

====================

For example, we want to authorize five users to access a printer. We can create a local group and grant the Local Group permission to access the printer.

Create a global group and add these five accounts to the group.

Then add the global group to the local group.

In this way, these five accounts can access the printer.

If we add another printer later, let the local group have the permission to access the new printer.

 

When to use global scope?

====================

For example, there are two domain names in the network, one us and one euro. Suppose we have a global group named glaccounting in usdomain. so I should also create a global group named glaccounting in the domain of Euro.

 

When to use universal scope?

====================

For example, for us and euro domain, both domain have a global group called glaccounting. we should create a universal group named uaccounting, and then add the two glaccounting as members of the uaccounting group so that the uaccounting group can be used throughout the enterprise. changes to personnel in any glaccounting group will not lead to replication of changes in the uaccounting group ).

Do not change members of the universal group as frequently as possible, because any modification will cause the group's membership to be copied in all the Global Catalog in the forest.

 

References:

Group Scope

Http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx

Http://support.microsoft.com/kb/884417