We’ve had quite a few questions about the difference between Domain Local Groups, Domain Global groups and Domain Universal groups. So, here we go:
Domain Local Groups
Best practice: use Domain Local Groups to grant access to resources, such as you file systems. The reason being that you can add Domain Global and Domain Universal groups from any domain to a Domain Local group.
Domain Global Groups:
Best practice: use Domain Global Groups to organize users who share similar access requirements, and make them member of the Domain Local Groups you use to grant access to resources.
Domain Universal Groups:
Best practice: use Domain Universal Groups when assigning permissions to related resources in multiple domains. Remember, though, that in forests with functional level 2003 or lower Domain Universal Groups are stored in their entirety in the Global Catalog, and are therefore replicated in their entirety across your Domain Controllers when you make one change to them.
So, when to use what scope? First, let me emphasize that Microsoft still insists on the best practices described above.
The whole scope differences originate from the good old NT4 days, when Microsoft networks only consisted of one domain. NT4 only knew Domain Local and Domain Global groups. Universal groups where created to support Active Directory and cross domain memberships, and in the early days they came at a price. Universal groups are stored in the Global Catalog, and if you changed them, let’s say by adding a member, the whole group was replicated across your Active Directory (basically, all the members were sent over the line to all Global Catalog servers, because a group’s memberships are stored as an attribute value in its members).
But things have changed since Forest Functional Level 2003 came into play, because since then only the changes are replicated, tremendously reducing the cost of using Domain Universal groups.
So, if your hardware and network bandwidth is ‘reasonable’ across the board (you have no Global Catalog servers behind very slow network connections), there is no longer need to shy away from exclusively using Universal groups.
There is one thing that you should not do, though: don’t use Domain Global groups to grant access to resources, for the reason stated above. You cannot add foreign users, Domain Local, Global or Universal groups to a Domain Global group, and so if you create another Domain in your forest, you cannot simply add users or groups from that new domain to your existing security structure.
If you run into this problem, don’t redesign your security structures.
Just use ADUC AdminPlus to convert your existing Domain Global groups …
Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.
Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.