As a System Administrator of a domain, there will obviously be times where you will need to create new security groups for your environment. When creating a new security group, the group scope can sometimes be confusing. Do I pick Domain Local, Global, or Universal? Below I quickly break down what each type can contain and the usage for each security group type.

 

AD security groups explained

 

Domain Local

This type of group can contain:

  • User accounts from any domain in the forest or in a trusted forest
  • Global or Universal security groups from any domain in the forest or trusted forest
  • Other Domain Local security groups from the same domain

This type of groups usage:

  • Used for resources in the local domain

Global

This type of group can contain:

  • User accounts in the same domain
  • Other Global security groups from the same domain

This type of groups usage:

  • Used for any domain in the forest or trusted forests

Universal

This type of group can contain:

  • User accounts, Global groups, or Universal Groups from any domain in the forest

This type of groups usage:

  • Any domain in forest or trusted forest