Domain Local Groups in a Mixed Mode Domain can contain users, global groups and universal groups from any domain in the forest. In Native Mode, they can also contain domain local groups from their own domain as well as be a member of another domain local group from within its own domain.
Security Domain Local Groups can be assigned permissions for any resource in the domain where the domain local group resides.
Security Global Groups organize domain user objects across domains.
Distribution Global Groups would allow the non-security-related function (e.g., e-mail) for group members across domains.
Global Groups in a Mixed Mode Domain can contain user accounts from the group’s local domain. In Native Mode they can contain other global groups (called Group Nesting) from the local domain.
Global Groups in a Mixed Mode Domain can be members of Domain local groups in any domain in the forest. In Native Mode they can be a member of another global (nested in another Global Group) in its own domain.
Security Global Groups can be assigned permissions for all of the
domains in the forest.
Security Universal Groups are used to group users and grant
permissions across an entire forest.
Groups allow the non-security-related function (e.g.,
e-mail) for group members across the entire forest.
A Windows 2000 domain must be in native mode to create Universal Security Groups. In Mixed Mode only Universal Distribution
Groups are available.
Universal Groups can contain user accounts, global groups and
universal groups from any domain in the forest and can be a
member of Domain local groups and other universal groups in
any domain in the forest.
Universal Groups can be assigned permissions for all domains in the
forest and should be used to nest global groups so that
permissions can be more easily assigned to related resources
in multiple domains. Individual users should not be added
singly to universal groups, and you should keep membership
changes in Universal Groups to a minimum, as these changes
must be replicated throughout the forest.
When setting up access to any server it is important to remember that:
- Authentication determines the identity of a user
- Permissions determine what a valid user can access once authenticated