Dating to the early days of Windows NT is a discussion of what group scope to choose when creating a new group in Active Directory. There are a plethora of acronyms and time tested practices that administrators sometimes turn to, but, I usually recommend a simple approach. In many organizations, I suggest that the time spent debating this topic could be better focused somewhere more important.

There are three group scopes available:

  • Domain Local

  • Global

  • Universal

The scope primarily affects four things:

  1. The exposure of the group across trusts, and the ability to add group members from other domains or forests.

  2. The number of bytes the group consumes in the user’s logon token. This is important in large organizations that have token bloat problems.

  3. In large highly-distributed multi-domain forests that have domain controllers dispersed around the world, and replication traffic poses a network concern, universal group membership changes are replicated to every global catalog.

  4. In multi-domain forests, if every domain controller is not a global catalog, logon will fail (by default) if a global catalog cannot be contacted during the logon attempt.

In order to understand how the scope of a group affects your ability to nest groups (that is, make one group a member of another group), first study the rules for whether or not a group from one domain can be used in another domain:

  • Domain local – only useable within the domain that the group was created in. Cannot be accessed via a trust.

  • Global – useable in the domain the group was created in, or in any domain that trusts the domain the group is in.

  • Universal – useable in the domain the group was created in, or in any domain or forest that trusts the domain the group is in.

As you consider the rules above, you can see why you cannot nest a Domain Local group in a Global or Universal group. Simply put, Global and Universal group membership is accessible across trusts, but domain local group membership is not. So, if you were to nest a Domain Local group in a Global or Universal group, the full group membership would not be accessible across the trust. Fortunately, Active Directory enforces these rules for us. You can keep track of these rules by referencing the table below:

Group scope

Can contain users and computers from

Can contain domain local groups from

Same domain

Different domain

Same domain

Different domain

Domain local groups

Yes

Yes

Yes

No

Domain global groups

Yes

No

No

No

Universal groups

Yes

Yes

No

No

 

The next table highlights the rules that apply to global and universal groups.

Group scope

Can contain domain global groups from

Can contain universal groups from

Same domain

Different domain

Same domain

Different domain

Domain local groups

Yes

Yes

Yes

Yes

Domain global groups

Yes

No

No

No

Universal groups

Yes

Yes

Yes

Yes