Each valid user within a domain has a User Account in the user account database. Accounts can be collected into larger structures called groups. Within a Microsoft Windows NT domain there are two types of groups: local groups that give access to resources on the domain servers and global groups that allow users to access resources in this and other domains. The "scope" of each type of group is a key concept to understand. The name of the group refers to where the group is used. Global groups can be thought of as export groups as these can be exported to other domains. Local groups can be thought of as import groups as these can include global groups from other domains and define permissions for resources only within the domain it is defined in. The type of network and the account's role in the network determine which type of account the administrator should create.
Many networking solutions have incorporated varying forms of user accounts as a method of providing logon access to resources. However, as the complexity of local area networks has increased, it has become increasingly difficult to manage these user accounts. Even today, some networking environments force the administrator to establish separate user accounts on each server where a user needs access. To simplify user administration, Windows NT Server provides group accounts. Adding a user to a predefined group provides the user with all access rights and privileges of that group. Changing access rights becomes a very simple task because changing the rights of the group will automatically change the rights of all group members. Contrasting this with an administration model where each individual account needs to be changed shows how groups provide a very flexible and easy-to-use tool for administrators.
A global group may only contain user accounts that are locally defined in the domain in which the global group exists. Using trust relationships (discussed below) users within a global group can access resources outside their locally defined domain. Global groups are therefore suitable for large, multidomain networks. They are a programmatic method of providing an inclusive list of all user accounts within a domain that require a particular type of access to resources that exist within another domain.
As mentioned previously, local groups can be considered as import groups, which define permissions to resources only within the domain in which the local group exists. Hence the term "local" defines the scope of the resource permissions granted to users within the group. Local groups may contain users and global groups from the local domain (but not other local groups), as well as users and global groups from trusted domains. However, a local group can only be assigned permissions and rights in its home domain.
Not only are local groups an effective way of collectively assigning user rights and permissions for a set of users within the home domain, but they can be used to gather numerous global groups and users from other domains. This allows an administrator to globally change access to domain resources with a single modification to the local group permissions.