Domain Local, Global And Universal Groups

Posted September 18th, 2013

We’ve had quite a few questions about the difference between Domain Local Groups, Domain Global groups and Domain Universal groups. So, here we go:

Domain Local Groups

  • With Domain Local Groups permissions can only be assigned to resources in the same domain.
  • Domain Local Groups can contain users, Domain Universal, and Domain Global Groups from any domain, as well as Domain Local groups from the same domain.
  • Domain Local Groups can be a member of Domain Local Groups from the same domain.

Best practice: use Domain Local Groups to grant access to resources, such as you file systems. The reason being that you can add Domain Global and Domain Universal groups from any domain to a Domain Local group.

Domain Global Groups:

  • With Domain Global Groups permissions can be assigned to resources in any domain.
  • Domain Global Groups can only contain users and Domain Global Groups from the same domain.
  • Domain Global Groups can be a member of Domain Local Groups and Domain Universal Groups in any domain.

Best practice: use Domain Global Groups to organize users who share similar access requirements, and make them member of the Domain Local Groups you use to grant access to resources.

Domain Universal Groups:

  • With Domain Universal Groups permissions can be assigned to resources in any domain.
  • Domain Universal Groups can contain users, Domain Global Groups and Domain Universal Groups from any domain.
  • Domain Universal Groups can be a member of Domain Local Groups and Domain Universal Groups in any domain.

Best practice: use Domain Universal Groups when assigning permissions to related resources in multiple domains. Remember, though, that in forests with functional level 2003 or lower Domain Universal Groups are stored in their entirety in the Global Catalog, and are therefore replicated in their entirety across your Domain Controllers when you make one change to them.

 

So, when to use what scope? First, let me emphasize that Microsoft still insists on the best practices described above.

The whole scope differences originate from the good old NT4 days, when Microsoft networks only consisted of one domain. NT4 only knew Domain Local and Domain Global groups. Universal groups where created to support Active Directory and cross domain memberships, and in the early days they came at a price. Universal groups are stored in the Global Catalog, and if you changed them, let’s say by adding a member, the whole group was replicated across your Active Directory (basically, all the members were sent over the line to all Global Catalog servers, because a group’s memberships are stored as an attribute value in its members).

But things have changed since Forest Functional Level 2003 came into play, because since then only the changes are replicated, tremendously reducing the cost of using Domain Universal groups.

So, if your hardware and network bandwidth is ‘reasonable’ across the board (you have no Global Catalog servers behind very slow network connections), there is no longer need to shy away from exclusively using Universal groups.

There is one thing that you should not do, though: don’t use Domain Global groups to grant access to resources, for the reason stated above. You cannot add foreign users, Domain Local, Global or Universal groups to a Domain Global group, and so if you create another Domain in your forest, you cannot simply add users or groups from that new domain to your existing security structure.

If you run into this problem, don’t redesign your security structures.

Just use ADUC AdminPlus to convert your existing Domain Global groups …

aducADMIN+A Powerfully Simple Active Directory Management Tool.

Download A FREE Trial

We're a software company based in Amsterdam that focuses on large-scale network management software. aducADMIN+ is our flagship product - but we also manage networks of over 20,000 users.

Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.

Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.

Telephone

+31 20 893 2017

email

info@aducadmin.com

blog

http://www.aducadmin.com/blog