Go Premium for a chance to win a PS4. Enter to Win


The difference between Global and Universal nested group in single domain ?

Posted on 2014-07-20
Medium Priority
Last Modified: 2014-10-21
Hi People,

Can anyone please assist me in explaining what's the difference in creating Security group with the type Global or Universal ?

in my company, there is only one AD domain, the AD security group is usually created to logically group multiple AD accounts to be a local administrator of several production servers (to be put into ServerName\Administrators group).

In this case, which type should I create ?
Does the Local Administrator group can read the nested AD group with more than 3 levels deep ?
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 668 total points
ID: 40207419
Do you ever plan to add domains?   Either one works I'd go with global in this case.  Yes it can read nested groups.  Why are you nesting three deep?   You don't want to make it hard to manage/administer.


LVL 36

Accepted Solution

Seth Simmons earned 668 total points
ID: 40207639
it's about scope
global groups can include users and groups from other global groups in the domain
universal groups can include users and groups from other global and universal groups in the forest

by default the option is checked as security groups created as global and distribution groups are universal
you can change this during creation or afterwards

In this case, which type should I create ?

with one domain, global is fine
if there were multiple domains in the same forest and you needed a group to have members from both domains, then it would be universal

Author Comment

by:Senior IT System Engineer
ID: 40208098
Cool, so in this case for the Local Administrator, it can be any type of group Universal or Global ?
eventhough it is nested, the local administrator group permission should be applicable. is that correct ?
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

LVL 24

Assisted Solution

Sandeshdubey earned 664 total points
ID: 40210843
Domain Local Group is a group which may be assigned only to resources in a domain in which exists but it is able to contain any Universal Group/Global Group from entire forest. So as it cannot be assigned in other domains that its own, it was decided to use it as permission group.

Global Group is a group which may be assigned into any other Universal/Domain Local group in any domain in a forest but its limitation is that it can contain only members of its own domain.

Universal group is a group which can be added into any Domain Local group in entire forest and can have members of any domain from a forest. Its membership changes are replicated between each domains.

The best method to assign permission are AGDULP(Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups, considering you have already trust in place b/w them.

-Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.

You should avoid using universal groups as its memberships are replicated across all the GC's in the forest.
Accessing resources across forests  http://technet.microsoft.com/en-us/library/cc772808%28WS.10%29.aspx

Author Comment

by:Senior IT System Engineer
ID: 40235802
thanks guys.

so which combination of nested group type doesn't work for local admin in a server ?

Author Closing Comment

by:Senior IT System Engineer
ID: 40396209
Thanks guys !

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question