Group scope

Groups, whether a security group or a distribution group, are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. There are three group scopes: universal, global, and domain local.

Members of universal groups can include other groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any domain in the domain tree or forest.
Members of global groups can include other groups and accounts only from the domain in which the group is defined and can be assigned permissions in any domain in the forest.
Members of domain local groups can include other groups and accounts from Windows Server 2003, Windows 2000, or Windows NT domains and can be assigned permissions only within a domain.

The following table summarizes the behaviors of the different group scopes.

Universal scope	Global scope	Domain local scope
When the domain functional level is set to Windows 2000 native or Windows Server 2003, members of universal groups can include accounts, global groups, and universal groups from any domain.	When the domain functional level is set to Windows 2000 native or Windows Server 2003, members of global groups can include accounts and global groups from the same domain.	When the domain functional level is set to Windows 2000 native or Windows Server 2003, members of domain local scope can include accounts, global groups, and universal groups from any domain, as well as domain local groups from the same domain.
When the domain functional level is set to Windows 2000 mixed, security groups with universal scope cannot be created.	When the domain functional level is set to Windows 2000 mixed, members of global groups can include accounts from the same domain.	When the domain functional level is set to Windows 2000 native or Windows Server 2003, members of domain local groups can include accounts and global groups from any domain.
When the domain functional level is set to Windows 2000 native or Windows Server 2003, groups can be added to other groups and assigned permissions in any domain.	Groups can be added to other groups and assigned permissions in any domain.	Groups can be added to other domain local groups and assigned permissions only in the same domain.
Groups can be converted to domain local scope. Groups can be converted to global scope, as long as no other universal groups exists as members.	Groups can be converted to universal scope, as long as the group is not a member of any other group with global scope.	Groups can be converted to universal scope, as long as the group does not have as its member another group with domain local scope.

When to use groups with domain local scope

Groups with domain local scope help you define and manage access to resources within a single domain. These groups can have as their members:

Groups with global scope
Groups with universal scope
Accounts
Other groups with domain local scope
A mixture of any of the above

For example, to give five users access to a particular printer, you could add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you would again have to specify all five accounts in the permissions list for the new printer.

With a little planning, you can simplify this routine administrative task by creating a group with domain local scope and assigning it permission to access the printer. Put the five user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the five users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer.

When to use groups with global scope

Use groups with global scope to manage directory objects that require daily maintenance, such as user and computer accounts. Because groups with global scope are not replicated outside of their own domain, accounts in a group having global scope can be changed frequently without generating replication traffic to the global catalog. For more information about groups and replication, see How replication works.

Although rights and permissions assignments are valid only within the domain in which they are assigned, by applying groups with global scope uniformly across the appropriate domains, you can consolidate references to accounts with similar purposes. This will simplify and rationalize group management across domains. For example, in a network with two domains, Europe and UnitedStates, if there is a group with global scope called GLAccounting in the UnitedStates domain, there should also be a group called GLAccounting in the Europe domain (unless the accounting function does not exist in the Europe domain).

It is strongly recommended that you use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog. For more information, see Global catalog replication.

When to use groups with universal scope

Use groups with universal scope to consolidate groups that span domains. To do this, add the accounts to groups with global scope and nest these groups within groups having universal scope. Using this strategy, any membership changes in the groups having global scope do not affect the groups with universal scope.

For example, in a network with two domains, Europe and UnitedStates, and a group having global scope called GLAccounting in each domain, create a group with universal scope called UAccounting to have as its members the two GLAccounting groups, UnitedStates\GLAccounting and Europe\GLAccounting. The UAccounting group can then be used anywhere in the enterprise. Any changes in the membership of the individual GLAccounting groups will not cause replication of the UAccounting group.

The membership of a group with universal scope should not change frequently, since any changes to these group memberships cause the entire membership of the group to be replicated to every global catalog in the forest. For more information about universal groups and replication, see Global catalog and replication.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.
Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.
Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.
Universal to domain local. No restrictions for this operation.

For more information, see To change group scope.

Groups on client computers and stand-alone servers

Some group features, such as universal groups, group nesting, and the distinction between security groups and distribution groups, are available only on Active Directory domain controllers and member servers. Group accounts on Windows 2000 Professional, XOX, Windows 2000 Server, and stand-alone servers running Windows Server 2003 work the same way as in Windows NT 4.0:

Only local groups can be created locally on the computer.
A local group created on one of these computers can be assigned permissions only on that one computer.

For more information, see Default local groups.