Active Directory Security Group Scope and Membership

Active Directory Security Group Scope and Membership Local Security Groups A Local Security groups’ scope is the machine on which it is located. Local groups in Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows Vista, Windows 7 and Windows 8 are similar to local groups in Windows NT. They can contain user accounts that are local to the computer and user accounts and global groups from their own domain. A local group can be granted permissions to resources only on the computer where it was created. A local security group can be used to assign permissions to local resources on a computer. Domain Controllers do not have local security groups. Domain Local A domain local groups’ scope is a single domain in which the group is created. A domain local group can only be assigned permissions on objects in that domain. A domain local group is ideally used as a resource group for collected together other groups that need the same level of access to an object. This is useful for limiting the number of ACL entries required on an object. Domain Local groups should be used where ever possible for exposing management tasks within the delegation model. When the domain is in mixed mode, domain local groups can contain user accounts and global groups from any trusted domain or forest. When the domain is in native mode, domain local groups can also contain domain local groups from their own domain and universal groups from within any domain in the forest. Note:- Do not use domain local groups to control Read permissions on object attributes that are replicated to the global catalog - since the users has no control over which global catalog server is selected, the results can be unpredictable. Global These groups can contain members only from their own domain but can be granted permissions to resources in any trusting domain. When the domain is in native mode, global groups can contain user accounts and global groups from the same domain. When the domain is in mixed mode, these groups can contain only user accounts. Because global groups have forest wide visibility, they are best used to organize users or groups of users into administrative roles. Universal A Universal groups’ scope is all domains in a forest. A universal group can be used in all trusted domains and can be assigned permissions on all objects in all domains of the same forest. These groups can contain user accounts, global groups, and universal groups from any domain in the current