Platform SDK: Active Directory, ADSI, and Directory Services |
Each security and distribution group has a scope:
There are three scopes for groups, as shown in the following table.
Scope | Members | Grant Permissions | Member of Other Groups |
---|---|---|---|
Universal | From any Windows NT/Windows 2000 domain in the forest:
Universal Groups, Global Groups and users (including contacts) from any domain in the forest. |
On any domain in the forest | Can be a member of the following groups in the forest:
Local Groups and Universal Groups. |
Global | Only from the domain containing the group:
Global Groups and users (including contacts) from the domain containing the group. |
On any domain in the forest | Can be a member of any group in the forest:
Global Groups, Local Groups, and Universal Groups. |
Domain Local | From any domain in the forest:
Global Groups, Universal Groups, and users (including contacts) from any domain in the forest. Domain local groups from the domain containing the group. |
Only on the domain containing the group | Only can be a member of Local Groups in the domain containing the group. |
If you have multiple forests, users from one forest cannot be placed in groups in another, and groups from one forest cannot be given permissions in another.
In short, a universal group can contain users and groups from any domain and can be used for access control in any domain. A global group can contain only users and groups from a single domain and can be used for access control on any domain. A domain local group can contain users and groups from any domain and can only be used for access control on a single domain.