Directory Services

What Type of Group to Use

Which type of group should you create? When you create a group, you specify the type and scope. However, how you intend to use the group for access control also affects the type and scope.


Groups use following types:

If the domain containing the group is running in native mode, you can convert the type of a group after it has been created. The type cannot be converted in mixed mode.


Groups use the following scopes:


If you intend a group to be used to set access rights on directory objects, you must create a group with Global scope. All objects and their security descriptors, which control access to the object, are replicated to every global catalog server. The Configuration container (which contains objects that also have security descriptors) is also replicated to all DCs in the forest. If you use a domain local group to assign rights in a security descriptor, there are circumstances when the group is not in the user's access token and, therefore, the right assigned is not enforced. When the directory object is replicated to the Configuration container or global catalog in another domain and a user requests access to the object in that other domain, the DC handling the access request is not able to add the domain local group to the access token. Effectively, the access that the assigned right containing the domain local group defines is not enforced in these domains. The assigned right is enforced only on the domain containing the domain local group.

Domain Local groups should only be used to manage resources that 1) are not stored in the directory (such as file shares, printer queues, and so on) and 2) are on computers in the domain containing the Domain Local group.