6.4.1 Group Scope
The scope of a group identifies the extent to which the group is applied throughout the domain tree or forest.
There are four group scopes: local groups, domain local groups, global groups, and universal groups.
Local groups can contain user accounts from the local machine, user accounts from the domain the local
machine is joined to, or user accounts from any trusted domains of the domain the computer is joined to.
Only local groups can manage permissions for local resources.
Domain local groups can include other groups and user and/or computer accounts from Windows
Server 2003, Windows 2000 Server, and Windows NT domains. Permissions for only the domain in
which the group is defined can be assigned to domain local groups. Thus, domain local groups can be
used to manage access to resources within a domain.
Global groups can include other groups and user and/or computer accounts from only the domain in
which the group is defined. Permissions for any domain in the forest can be assigned to global groups.
Global groups are not replicated beyond the boundaries of their own domains, thus changes can be made
to global group members without creating large amounts of replication traffic to the Global Catalog
servers. Permissions and user rights that are assigned to global groups are only valid in the domain in
which they are assigned.
Universal groups can include other groups and user and/or computer accounts from any domain in the
domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to
universal groups. Universal groups are only available if your domain functional level is set to the
Windows 2000 native domain functional level. Universal groups are best used to consolidate global
groups into one location. Since user accounts are added to the global groups, membership changes in the
global groups do not have an effect on the universal group.