Directory Services

Where Groups Can Be Created

In Active Directory, groups are created in domains. Groups can be created at the root of the domain (domainDNS), in an organizational unit (OU), or in a container (container) object.

The domain where you create a group can make a difference based on the scope of the group. The scope of a group determines 1) domains where members can be added from and 2) domains where the group can be used to grant permissions.

You should choose the particular container (domain, OU, or container) where you create a group based on the administration required for the group. For example, if your directory has multiple OUs, each of which has a different user to administer it, you may want to create global groups within those OUs so that those administrators can manage group membership for users in those OUs. If groups are required for access control outside the OU, the groups within the OUs can be nested in universal groups (or other global groups) that can be used elsewhere in the domain and forest.

Note  Groups can be moved within a domain; however, only universal groups can be moved from one domain to another.