tigermatt:
What you have noticed about both security and distribution groups having the "Domain Local", "Global" and "Universal" permissions is actually known as the Scope of a group.
A domain local is probably, in my opinion, one of the worst to use unless you have a specific reason to use it. This type of group can contain members from any other domain within the same forest, including users, computers, universal groups, global groups and other domain local groups *within the same domain*. However, the domain local group can only be used to secure access to resources or objects (printers, files, databases etc.) in the same domain as it is created. It cannot be used across the forest.
A global group is a group which can roam between other trusting domains and can be used in these domains to secure access to resources too. However a global group can only contain members from the domain it was created in.
A universal group is one which can contain members from anywhere in the forest and can be used anywhere in the forest. It isn't restricted to only containing members or only being used in one individual domain.
skip to main |
skip to sidebar
