Monday 9 December 2013

AD Group Scope

Some people are having difficulties to differentiate between Universal, Global and Domain Local groups (including me, sometimes).  The table below illustrates the differences between those group scopes.

Some lesson learnt :-
  • Global groups can be added to Domain Local groups (from the same domain or crossed-domain), but not vice versa
  • For Global groups, you only can add accounts from its domain and its parent Global groups
  • In order to add accounts from any domain, you need to have Local Domain groups, Global groups won’t allow you to do so.
  • Converting a group to Domain Local, add those crossed-domain users, and convert it back to Global group won’t do the trick.
  • Domain Local groups cannot be added to Domain Local groups from any domain except for its domain and the parent.

Group scope
Group can include as members…
Group can be assigned permissions in…
Group scope can be converted to…
Universal
·      Accounts from any domain within the forest in which this Universal Group resides
·      Global groups from any domain within the forest in which this Universal Group resides
·      Universal groups from any domain within the forest in which this Universal Group resides
Any domain or forest
·      Domain local
·      Global (as long as no other universal groups exist as members)
Global
·      Accounts from the same domain as the parent global group
·      Global groups from the same domain as the parent global group
Member permissions can be assigned in any domain
Universal (as long as it is not a member of any other global groups)
Domain local
·      Accounts from any domain
·      Global groups from any domain
·      Universal groups from any domain
·      Domain local groups but only from the same domain as the parent domain local group
Member permissions can be assigned only within the same domain as the parent domain local group
Universal (as long as no other domain local groups exist as members)


noteNote
The information in this table implies that the domain functional level is set to either Windows 2000 native or Windows Server 2003. When the domain functional level is set to Windows 2000 mixed or Windows Server 2003 interim, security groups with universal scope cannot be created, although distribution groups with universal scope are still permitted.


source : http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
Share:
                 No comments    

0 comments:

Post a Comment