Groups in AD | Domain Local, Global, Universal

Domain Local: groups can contain users, global groups and universal groups from anywhere in the AD forest, but can only be used to secure resources within the same domain.

Global: groups can contain only users and groups from within the same domain, but can be used to secure resources anywhere in the forest.

Universal: groups can contain objects from anywhere in the forest, and can be used to secure resources anywhere in the forest.


Group Scope Can Contain Usage
Domain Local
  • User account from any domain in the forest
  • Global or universal from any domain in the forest
  • User accounts, global or universal groups from a trusted forest domain
  • Other domain local groups from the same domain
  • Resources in local domain
Global
  • User accounts in the same domain
  • Other global groups from the same domain
  • Any domain in the forest or trusted forests
Universal
  • Users. Global groups or universal groups from any domain in the forest
  • Any domain in the forest or trusted forests

You can only convert from the following and this will only take place if the correct “member of” groups are related:

  • Domain Local to Universal
  • Global to Universal
  • Universal to Domain Local & Global

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.