Where groups can be created

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Where groups can be created

In Active Directory, groups are created in domains. You use Active Directory Users and Computers to create groups. With the necessary permissions, groups can be created in the root domain of the forest, in any other domain in the forest, or in an organizational unit.

Besides the domain in which it is created, a group is also characterized by its scope. The scope of a group determines:

  • The domain from which members can be added

  • The domain in which the rights and permissions assigned to the group are valid

For more information about group scopes, see Group scope.

Choose the particular domain or organizational unit where you create a group based on the administration required for the group. For example, if your directory has multiple organizational units, each of which has a different administrator, you may want to create groups with global scope within those organizational units so those administrators can manage group membership for users in their respective organizational units. If groups are required for access control outside the organizational unit, the groups within the organizational unit can be nested into groups with universal scope (or other groups with global scope) that can be used elsewhere in the forest.

If the domain functional level is set to Windows 2000 native or higher, the domain contains a hierarchy of organizational units and administration is delegated to administrators at each organizational unit, it may be more efficient to nest groups with global scope. For example, if the organizational unit OU1 contained organizational units OU2 and OU3, a group with global scope in OU1 could have as its members groups with global scope in OU2 and OU3. In OU1, the administrator could add or remove group members from OU1, and the administrators of OU2 and OU3 could add or remove group members for accounts from their own organizational units without having administrative rights for the group with global scope in OU1.

Note

  • Groups can be moved within a domain. However, only groups with universal scope can be moved from one domain to another. The rights and permissions assigned to a group with universal scope are lost when the group is moved to another domain and new assignments must be made.

For information about the tools used to move groups between domains, see Using the Windows Deployment and Resource Kits.