Group scope

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Group scope

Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes: universal, global, and domain local.

The following table describes the differences between the scopes of each group.

Group scope

Group can include as members…

Group can be assigned permissions in…

Group scope can be converted to…

Universal

  • Accounts from any domain within the forest in which this Universal Group resides

  • Global groups from any domain within the forest in which this Universal Group resides

  • Universal groups from any domain within the forest in which this Universal Group resides

Any domain or forest

  • Domain local

  • Global (as long as no other universal groups exist as members)

Global

  • Accounts from the same domain as the parent global group

  • Global groups from the same domain as the parent global group

Member permissions can be assigned in any domain

Universal (as long as it is not a member of any other global groups)

Domain local

  • Accounts from any domain

  • Global groups from any domain

  • Universal groups from any domain

  • Domain local groups but only from the same domain as the parent domain local group

Member permissions can be assigned only within the same domain as the parent domain local group

Universal (as long as no other domain local groups exist as members)

Note

The information in this table implies that the domain functional level is set to either Windows 2000 native or Windows Server 2003. When the domain functional level is set to Windows 2000 mixed or Windows Server 2003 interim, security groups with universal scope cannot be created, although distribution groups with universal scope are still permitted.

When to use groups with domain local scope

Groups with domain local scope help you define and manage access to resources within a single domain. For example, to give five users access to a particular printer, you can add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you must again specify all five accounts in the permissions list for the new printer.

With a little planning, you can simplify this routine administrative task by creating a group with domain local scope and assigning it permission to access the printer. Put the five user accounts in a group with global scope, and then add this group to the group having domain local scope. When you want to give the five users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer.

When to use groups with global scope

Use groups with global scope to manage directory objects that require daily maintenance, such as user and computer accounts. Because groups with global scope are not replicated outside their own domain, you can change accounts in a group having global scope frequently without generating replication traffic to the global catalog. For more information about groups and replication, see How replication works.

Although rights and permissions assignments are valid only within the domain in which they are assigned, by applying groups with global scope uniformly across the appropriate domains, you can consolidate references to accounts with similar purposes. This simplifies and rationalizes group management across domains. For example, in a network with two domains, Europe and UnitedStates, if you have a group with global scope called GLAccounting in the UnitedStates domain, create a group called GLAccounting in the Europe domain (unless the accounting function does not exist in the Europe domain).

It is strongly recommended that you use global groups or universal groups instead of domain local groups when you specify permissions on domain directory objects that are replicated to the global catalog. For more information, see Global catalog replication.

Note

When the domain functional level is set to Windows 2000 mixed, members of global groups can include only accounts from the same domain.

When to use groups with universal scope

Use groups with universal scope to consolidate groups that span domains. To do this, add the accounts to groups with global scope, and then nest these groups within groups that have universal scope. When you use this strategy, any membership changes in the groups that have global scope do not affect the groups with universal scope.

For example, in a network with two domains, Europe and UnitedStates, and a group that has global scope called GLAccounting in each domain, create a group with universal scope called UAccounting that has as its members the two GLAccounting groups, UnitedStates\GLAccounting and Europe\GLAccounting. The UAccounting group can then be used anywhere in the enterprise. Any changes in the membership of the individual GLAccounting groups will not cause replication of the UAccounting group.

If the forest functional level is Windows Server 2003 or higher, changes to the membership of universal groups are replicated to each global catalog server using linked-value replication. This means that only the changed membership is replicated, rather than the entire group. If the forest functional level is lower than Windows Server 2003, you should not change the membership of a group with universal scope frequently because any changes to these group memberships cause the entire membership of the group to be replicated to every global catalog in the forest. For more information about universal groups and replication, see Global catalogs and sites. For more information about linked value replication, see How the Active Directory Replication Model Works.

Note

When the domain functional level is set to Windows 2000 mixed, you cannot create security groups with universal scope.

Changing group scope

When you create a new group, by default the new group is configured as a security group with global scope, regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level of Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level of Windows 2000 native or Windows Server 2003:

  • Global to universal. This conversion is allowed only if the group that you want to change is not a member of another global scope group.

  • Domain local to universal. This conversion is allowed only if the group that you want to change does not have another domain local group as a member.

  • Universal to global. This conversion is allowed only if the group that you want to change does not have another universal group as a member.

  • Universal to domain local. There are no restrictions for this operation.

For more information, see Change group scope.

Groups on client computers and stand-alone servers

Some group features, such as universal groups, group nesting, and the distinction between security groups and distribution groups, are available only on Active Directory domain controllers and member servers. Group accounts on Windows 2000 Professional, Windows XP Professional, Windows 2000 Server, and stand-alone servers running Windows Server 2003 work the same way as in Windows NT 4.0:

  • Only local groups can be created locally on the computer.

  • A local group that is created on one of these computers can be assigned permissions only on that one computer.

For more information, see Default local groups.