• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6833
  • Last Modified:

When to use Global, Universal or Domain Local security groups

Can someone please explain to me in the most simple way when do I use a
Domain Local Security Group
Universal Security Group
Global Security Group

How do I knwo when to apply which one?

Thanks :)
2 Solutions

Here is the link which explain about these groups.
noadAuthor Commented:
Still dont get it, sorry looking for a simple explaination.
Can you break it down
This for this, that for that???
local security groups apply security settings locally and are used for localised administration etc

Global security groups are your Domain Groups which are created with the installation of AD (as you would know :) ) these groups when operating at native mode are able to be nested into other groups etc within your domain environment

Universal groups are one step higher and provide the ability of group nesting interdomain and forests. If you have trusts configured between domains etc, you can nest a universla group in domain a, into either a universal group or a global group within Domain B. However you cannot nest a global group from Domain A into Domain B

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Toni UranjekConsultant/TrainerCommented:

Use global security groups to group user (or computer) accounts with simillar characteristics, for example members of Sales department.
Use domain local security groups to define access to resources (share, NTFS, printer), for example you would create domain local group "DL ColorPrinter Print" and assign print permission to this group. Then you would put global security group Sales in "DL ColorPrinter Print" group to enable printing for sales department. If marketing department wants to use the same printer you have to create global group Marketing and put this group in "DL ColorPrinter Print" group. This strategy is called A-G-DL-P. Put accounts in global groups, global groups in domain local groups and assign permissions to domain local groups and you will assign permission only once. Everything else happens in Active Directory Users and Computers when you modify groups memberships.

Universal groups should only be used in multiple domain forest. Universal groups are used to nest global groups. Group strategy is then called A-G-U-DL-P.


Toniur has given a good explanation let me see  if I can simplify it a bit:

Global Groups:
Use these to group users with similar needs within the organisation, sales people, finance people, managers etc

Domain Local Groups:
Use these to specify access to resources eg database users, Colour Printer Users.

Universal Groups
Use only in mulitiple domains to give forest wide privilages.

Put users into Global groups
Apply permissions to Domain Local Groups
Nest Global groups in Domain Local groups to assign permissions
noadAuthor Commented:
Thanks guy's I think I got it now!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now