The difference between Global and Universal nested group in single domain ?

Posted on 2014-07-20
Last Modified: 2014-10-21
Hi People,

Can anyone please assist me in explaining what's the difference in creating Security group with the type Global or Universal ?

in my company, there is only one AD domain, the AD security group is usually created to logically group multiple AD accounts to be a local administrator of several production servers (to be put into ServerName\Administrators group).

In this case, which type should I create ?
Does the Local Administrator group can read the nested AD group with more than 3 levels deep ?
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 167 total points
ID: 40207419
Do you ever plan to add domains?   Either one works I'd go with global in this case.  Yes it can read nested groups.  Why are you nesting three deep?   You don't want to make it hard to manage/administer.


LVL 35

Accepted Solution

Seth Simmons earned 167 total points
ID: 40207639
it's about scope
global groups can include users and groups from other global groups in the domain
universal groups can include users and groups from other global and universal groups in the forest

by default the option is checked as security groups created as global and distribution groups are universal
you can change this during creation or afterwards

In this case, which type should I create ?

with one domain, global is fine
if there were multiple domains in the same forest and you needed a group to have members from both domains, then it would be universal

Author Comment

by:Senior IT System Engineer
ID: 40208098
Cool, so in this case for the Local Administrator, it can be any type of group Universal or Global ?
eventhough it is nested, the local administrator group permission should be applicable. is that correct ?
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 24

Assisted Solution

Sandeshdubey earned 166 total points
ID: 40210843
Domain Local Group is a group which may be assigned only to resources in a domain in which exists but it is able to contain any Universal Group/Global Group from entire forest. So as it cannot be assigned in other domains that its own, it was decided to use it as permission group.

Global Group is a group which may be assigned into any other Universal/Domain Local group in any domain in a forest but its limitation is that it can contain only members of its own domain.

Universal group is a group which can be added into any Domain Local group in entire forest and can have members of any domain from a forest. Its membership changes are replicated between each domains.

The best method to assign permission are AGDULP(Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups, considering you have already trust in place b/w them.

-Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.

You should avoid using universal groups as its memberships are replicated across all the GC's in the forest.
Accessing resources across forests

Author Comment

by:Senior IT System Engineer
ID: 40235802
thanks guys.

so which combination of nested group type doesn't work for local admin in a server ?

Author Closing Comment

by:Senior IT System Engineer
ID: 40396209
Thanks guys !

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question