Domain Local Groups in a Mixed Mode Domain can contain users, global groups and universal groups from any domain in the forest. In Native Mode, they can also contain domain local groups from their own domain as well as be a member of another domain local group from within its own domain.
Security Domain Local Groups can be assigned permissions for any resource in the domain where the domain local group resides.
Security Global Groups organize domain user objects across domains.
Distribution Global Groups would allow the non-security-related function (e.g., e-mail) for group members across domains.
Global Groups in a Mixed Mode Domain can contain user accounts from the group’s local domain. In Native Mode they can contain other global groups (called Group Nesting) from the local domain.
Global Groups in a Mixed Mode Domain can be members of Domain local groups in any domain in the forest. In Native Mode they can be a member of another global (nested in another Global Group) in its own domain.
Security Global Groups can be assigned permissions for all of the
domains in the forest.
Security Universal Groups are used to group users and grant
permissions across an entire forest.
Distribution Universal
Groups allow the non-security-related function (e.g.,
e-mail) for group members across the entire forest.
A Windows 2000 domain must be in native mode to create Universal Security Groups. In Mixed Mode only Universal Distribution
Groups are available.
Universal Groups can contain user accounts, global groups and
universal groups from any domain in the forest and can be a
member of Domain local groups and other universal groups in
any domain in the forest.
Universal Groups can be assigned permissions for all domains in the
forest and should be used to nest global groups so that
permissions can be more easily assigned to related resources
in multiple domains. Individual users should not be added
singly to universal groups, and you should keep membership
changes in Universal Groups to a minimum, as these changes
must be replicated throughout the forest.
When setting up access to any server it is important to remember that:
Page 3: Active Directory Default Group Objects
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
