The difference between Global and Universal nested group in single domain ?

Hi People,

Can anyone please assist me in explaining what's the difference in creating Security group with the type Global or Universal ?

in my company, there is only one AD domain, the AD security group is usually created to logically group multiple AD accounts to be a local administrator of several production servers (to be put into ServerName\Administrators group).

In this case, which type should I create ?
Does the Local Administrator group can read the nested AD group with more than 3 levels deep ?
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
Seth SimmonsSr. Systems AdministratorCommented:
it's about scope
global groups can include users and groups from other global groups in the domain
universal groups can include users and groups from other global and universal groups in the forest

by default the option is checked as security groups created as global and distribution groups are universal
you can change this during creation or afterwards

In this case, which type should I create ?

with one domain, global is fine
if there were multiple domains in the same forest and you needed a group to have members from both domains, then it would be universal
Mike KlineCommented:
Do you ever plan to add domains?   Either one works I'd go with global in this case.  Yes it can read nested groups.  Why are you nesting three deep?   You don't want to make it hard to manage/administer.


Senior IT System EngineerIT ProfessionalAuthor Commented:
Cool, so in this case for the Local Administrator, it can be any type of group Universal or Global ?
eventhough it is nested, the local administrator group permission should be applicable. is that correct ?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

SandeshdubeySenior Server EngineerCommented:
Domain Local Group is a group which may be assigned only to resources in a domain in which exists but it is able to contain any Universal Group/Global Group from entire forest. So as it cannot be assigned in other domains that its own, it was decided to use it as permission group.

Global Group is a group which may be assigned into any other Universal/Domain Local group in any domain in a forest but its limitation is that it can contain only members of its own domain.

Universal group is a group which can be added into any Domain Local group in entire forest and can have members of any domain from a forest. Its membership changes are replicated between each domains.

The best method to assign permission are AGDULP(Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups, considering you have already trust in place b/w them.

-Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.

You should avoid using universal groups as its memberships are replicated across all the GC's in the forest.
Accessing resources across forests
Senior IT System EngineerIT ProfessionalAuthor Commented:
thanks guys.

so which combination of nested group type doesn't work for local admin in a server ?
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks guys !
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.