Domain Local: groups can contain users, global groups and universal groups from anywhere in the AD forest, but can only be used to secure resources within the same domain.
Global: groups can contain only users and groups from within the same domain, but can be used to secure resources anywhere in the forest.
Universal: groups can contain objects from anywhere in the forest, and can be used to secure resources anywhere in the forest.
Group Scope | Can Contain | Usage |
Domain Local |
|
|
Global |
|
|
Universal |
|
|
You can only convert from the following and this will only take place if the correct “member of” groups are related:
- Domain Local to Universal
- Global to Universal
- Universal to Domain Local & Global