🗂️

Active Directory Group Scopes

Jun 20, 2025

Overview

This lecture covers the concept of group scope in Active Directory, detailing the differences between domain local, global, and universal groups, their usage scenarios, conversion rules, and limitations for client computers and stand-alone servers.

Group Scope Overview

  • Group scope defines a group's reach for permissions in the domain or forest.
  • There are three group scopes: domain local, global, and universal.
  • Scope boundaries depend on the domain functional level.

Domain Local Groups

  • Used to define and manage access to resources within a single domain.
  • Can include accounts, global groups, and universal groups from any domain, and domain local groups from the same domain.
  • Permissions assigned only within the same domain.
  • Ideal for resource access like printers in one domain.

Global Groups

  • Used to manage objects requiring frequent changes, like user and computer accounts.
  • Membership limited to accounts and global groups from the same domain.
  • Permissions can be assigned in any domain.
  • Recommended for referencing similar accounts across domains.

Universal Groups

  • Used to consolidate groups from multiple domains for enterprise-wide resource access.
  • Can include accounts, global groups, and universal groups from any domain.
  • Permissions can be assigned anywhere in the forest.
  • Membership changes replicate to all global catalogs, optimized in newer functional levels.

Changing Group Scope

  • By default, new groups are security groups with global scope.
  • Scope changes allowed only in Windows 2000 native or higher domain functional level.
  • Allowed conversions: global ↔ universal, domain local ↔ universal, universal → domain local.
  • Restrictions apply based on group memberships and existing members.

Groups on Client Computers and Stand-alone Servers

  • Only local groups can be created on client computers and stand-alone servers.
  • Local groups can only be assigned permissions on their own machine.
  • Advanced features (universal groups, nesting) are exclusive to Active Directory domain controllers and member servers.

Key Terms & Definitions

  • Group scope — The range in which a group can be granted permissions within Active Directory.
  • Domain local group — Grants access to resources within one domain; members can be from any domain.
  • Global group — Groups users from the same domain for assignment of permissions anywhere in the forest.
  • Universal group — Groups from any domain for assignment of permissions across the forest.
  • Domain functional level — Determines available group features based on the Windows Server version.
  • Linked-value replication — Efficient replication of only changed group membership attributes.

Action Items / Next Steps

  • Review the rules for converting group scopes.
  • Study the usage scenarios for each group scope.
  • Read about replication and functional levels for more detail.

View note sourcehttps://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx