AD Group types: universal groups, global groups, domain local groups

Posted by Edward Killeen on Fri, Feb 26, 2010

active directory global group I had been demonstrating how to manage the creation and automation of AD security groups and distribution lists for months before I realized that I had no idea what the differences were between the three types of Active Directory groups: universal groups (UG), global groups (GG), and domain local groups (DLG). I asked around, poked around the web and found that nobody is really 100% clear on it. Or at least the ones that would talk to me.

With a little work I dug out enough info for this cheatsheet on Active Directory groups:

Universal Group: can contain users and groups (global and universal) from any domain in the forest. Universal groups do not care about trust. Universal groups can be a member of domain local groups or other universal groups but NOT global groups.
Global Group: can contain users, computers and groups from same domain but NOT universal groups. Can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.
Domain Local Group: Can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups frm the same domain. Can be a member of any domain local group in the same domain.

The short answer is that domain local groups are the only groups that can have members from outside the forest. And use global groups if you have trust, universal groups if you don't care about trust.

Disclaimer: this might still be wrong. But nobody has disputed it yet; thankfully, with good comments, I can always edit the blog post if I have something wrong.

Tags: AD Security Groups, Active Directory

Comments

Hi Edward,

I think your description of the difference between types of AD groups is accurate; but it is incomplete in that it does not explain why there would be different types of groups anyway, or what you should use them for.

Let's try a short indication:

To give users access to resources/objects, you could in principle put user accounts directly into the ACL's of the objects (files, printers,...) they need to use.

Because of the number of users and objects in any non-trivial organization this would lead to an administrative nightmare.

That is why security groups were introduced, as a kind of "in-between" between accounts and resources, to be able to organize things a little.

Global Groups might also be called "Account Groups".

They exist in the same domain as the (mostly user) accounts they contain, and can be grouped / nested among themselves (within their domain).

Without forming cycles of course.

(Domain) Local Groups might also be called "Permission Groups".

They are used in the ACL's of all kind of objects (files, shares, printers, ans so on) to offer read, use, fullcontrol, ... access to the object.

They can also be grouped and nested within the same domain.

In order to authorize users to use resources, links (memberships) between Global (User) Groups and Local (Resource) Groups must be established.

1) If there is only one domain involved, this can happen directly: make some global groups member of some local groups, and you're ready.

2) If the users live in another domain than the resources they need, there are 2 possibilities:

* There is sufficient trust between the domains:

Then the global groups from one domain can be member of the local groups of the other domain. Ready.

* There is not sufficient trust (or the trust relations would be to difficult to maintain):

Then you use Universal Groups as the linking pin between globals and locals.

These Universal Groups do not really belong to a specific domain, they live in the forest.

I know Windows does not really enforce the approach described, you can deviate from it in different ways, but as far as I know this is the way it was meant to be used.

Hope this helps.

Posted @ Saturday, February 27, 2010 6:11 AM by Jacques Willemen

Jacque, that is excellent, thank you.

Posted @ Sunday, February 28, 2010 12:24 PM by Edward Killeen

Good.. i got sme ideas

Posted @ Tuesday, October 19, 2010 8:23 PM by Gladdy

Well.. i found that global group cannot be a member of global group of the same domain

Posted @ Thursday, November 18, 2010 6:24 AM by Mayur

Perhaps it's more clear to explain the name. The name is where you can apply them (e.g. use to permission something)

Domain Local Groups

Can be used to permission only objects in the same domain (and so named local)!! however can contain e.g. users from give or take a bit anywhere

Global Groups

Can be used to permission things anywhere (and so named global), even outside that domain, the drawback is that you can only add members\objects into it from the domain it is based in

Universal Groups

With some limitations can be used to permission anywhere and contain members from anywhere (called universal), but there are serious complications regarding the global catalog, logons not possible if G.C. unavailable etc, so not the great solution for everything, use with care

Posted @ Saturday, July 09, 2011 10:57 AM by TomH

If we are saying that Global Groups and Universal groups can be used to assign permissions to resources, why do we need to add them to the Domain Local Groups then or precisley why is it the recommended way? Why can't we just add the global group or the Universal group directly to the ACL of an object?

Posted @ Tuesday, February 21, 2012 3:37 AM by Asif Zafar

Post Comment
Name *
Email *
Website (optional)
Comment * Allowed tags: <a> link, <b> bold, <i> italics
Receive email when someone replies. Subscribe to this blog by email.

Imanami GroupID

Exciting New Video!

Get all the latest via email!

Latest Posts

get-group History

SharePoint or AD groups poll?

Active Directory and Identity Blogs

AD Group types: universal groups, global groups, domain local groups

Comments