Directory Services

Scope of Groups

Each security and distribution group has a scope:

There are three scopes for groups, as shown in the following table.

Scope Members Grant Permissions Member of Other Groups
Universal From any Windows NT/Windows 2000 domain in the forest:

Universal Groups, Global Groups and users (including contacts) from any domain in the forest.

On any domain in the forest Can be a member of the following groups in the forest:

Local Groups and Universal Groups.

Global Only from the domain containing the group:

Global Groups and users (including contacts) from the domain containing the group.

On any domain in the forest Can be a member of any group in the forest:

Global Groups, Local Groups, and Universal Groups.

Domain Local From any domain in the forest:

Global Groups, Universal Groups, and users (including contacts) from any domain in the forest.

Domain local groups from the domain containing the group.

Only on the domain containing the group Only can be a member of Local Groups in the domain containing the group.

If you have multiple forests, users from one forest cannot be placed in groups in another, and groups from one forest cannot be given permissions in another.

In short, a universal group can contain users and groups from any domain and can be used for access control in any domain. A global group can contain only users and groups from a single domain and can be used for access control on any domain. A domain local group can contain users and groups from any domain and can only be used for access control on a single domain.