The difference between Global and Universal nested group in single domain ?

Posted on 2014-07-20
Last Modified: 2014-10-21
Hi People,

Can anyone please assist me in explaining what's the difference in creating Security group with the type Global or Universal ?

in my company, there is only one AD domain, the AD security group is usually created to logically group multiple AD accounts to be a local administrator of several production servers (to be put into ServerName\Administrators group).

In this case, which type should I create ?
Does the Local Administrator group can read the nested AD group with more than 3 levels deep ?
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 167 total points
ID: 40207419
Do you ever plan to add domains?   Either one works I'd go with global in this case.  Yes it can read nested groups.  Why are you nesting three deep?   You don't want to make it hard to manage/administer.


LVL 34

Accepted Solution

Seth Simmons earned 167 total points
ID: 40207639
it's about scope
global groups can include users and groups from other global groups in the domain
universal groups can include users and groups from other global and universal groups in the forest

by default the option is checked as security groups created as global and distribution groups are universal
you can change this during creation or afterwards

In this case, which type should I create ?

with one domain, global is fine
if there were multiple domains in the same forest and you needed a group to have members from both domains, then it would be universal

Author Comment

by:Senior IT System Engineer
ID: 40208098
Cool, so in this case for the Local Administrator, it can be any type of group Universal or Global ?
eventhough it is nested, the local administrator group permission should be applicable. is that correct ?
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 24

Assisted Solution

Sandeshdubey earned 166 total points
ID: 40210843
Domain Local Group is a group which may be assigned only to resources in a domain in which exists but it is able to contain any Universal Group/Global Group from entire forest. So as it cannot be assigned in other domains that its own, it was decided to use it as permission group.

Global Group is a group which may be assigned into any other Universal/Domain Local group in any domain in a forest but its limitation is that it can contain only members of its own domain.

Universal group is a group which can be added into any Domain Local group in entire forest and can have members of any domain from a forest. Its membership changes are replicated between each domains.

The best method to assign permission are AGDULP(Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups, considering you have already trust in place b/w them.

-Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.

You should avoid using universal groups as its memberships are replicated across all the GC's in the forest.
Accessing resources across forests

Author Comment

by:Senior IT System Engineer
ID: 40235802
thanks guys.

so which combination of nested group type doesn't work for local admin in a server ?

Author Closing Comment

by:Senior IT System Engineer
ID: 40396209
Thanks guys !

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently changeā€¦
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlleā€¦

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question