Unlike group types, which are fairly simple to understand, group scopes can be frustrating to those new to working with Windows Server 2003 and Active Directory. The scope of the group identifies the extent to which the group is applied throughout the domain tree or forest. There are four group scopes:
Local groups
Local groups can contain user accounts from the local machine, user accounts from the domain the local machine is joined to, or user accounts from any trusted domains of the domain the machine is joined to. Only local groups can manage permissions for local resources (local to a single machine).
Domain local groups
Domain local groups can include other groups and user/computer accounts from Windows Server 2003, Windows 2000 Server, and Windows NT domains. Permissions for only the domain in which the group is defined can be assigned to domain local groups.
Global groups
Global groups can include other groups and user/computer accounts from only the domain in which the group is defined. Permissions for any domain in the forest can be assigned to global groups.
Universal groups
Universal groups can include other groups and user/computer accounts from any domain in the domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to universal groups. Universal groups are only available if your domain functional level is set to Windows 2000 native mode.
Related Tips:
NTFS Permissions
NTFS Special Permissions
Windows Server 2003 Commands
Windows Server 2003 Editions
Back to the Computer Networking Tips Home
