Some people are having difficulties to differentiate between
Universal, Global and Domain Local groups (including me, sometimes). The table below illustrates the differences between
those group scopes.
Some lesson learnt :-
- Global groups can be added to Domain Local groups (from the same domain or crossed-domain), but not vice versa
- For Global groups, you only can add accounts from its domain and its parent Global groups
- In order to add accounts from any domain, you need to have Local Domain groups, Global groups won’t allow you to do so.
- Converting a group to Domain Local, add those crossed-domain users, and convert it back to Global group won’t do the trick.
- Domain Local groups cannot be added to Domain Local groups from any domain except for its domain and the parent.
Group scope
|
Group can include as members…
|
Group can be assigned permissions in…
|
Group scope can be converted to…
|
Universal
|
· Accounts from any
domain within the forest in which this Universal Group resides
· Global groups from
any domain within the forest in which this Universal Group resides
· Universal groups
from any domain within the forest in which this Universal Group resides
|
Any
domain or forest
|
· Domain local
· Global (as long as
no other universal groups exist as members)
|
Global
|
· Accounts from the
same domain as the parent global group
· Global groups from
the same domain as the parent global group
|
Member
permissions can be assigned in any domain
|
Universal
(as long as it is not a member of any other global groups)
|
Domain local
|
·
Accounts from any domain
·
Global groups from any domain
·
Universal groups from any domain
·
Domain local groups but only from the same domain as the
parent domain local group
|
Member
permissions can be assigned only within the same domain as the parent domain
local group
|
Universal
(as long as no other domain local groups exist as members)
|
Note
|
The information in this table implies that
the domain functional level is set to either Windows 2000 native or
Windows Server 2003. When the domain functional level is set to
Windows 2000 mixed or Windows Server 2003 interim, security
groups with universal scope cannot be created, although distribution groups
with universal scope are still permitted.
|
Comments
Post a Comment