<div>
You were told wrong, although in single domain forest it really does not matter.<br />
You nest groups in Active Directory by A-G-U-DL-P rule.<br />
<br />
You put A-account in G-global group, which can be put in U-universal group in multiple domain environment, which can be put in DL - domain local group to which you assign P - permissions.<br />
<br />
In single domain forest I would use A-G-P.
</div>


You were told wrong, although in single domain forest it really does not matter.
You nest groups in Active Directory by A-G-U-DL-P rule.

You put A-account in G-global group, which can be put in U-universal group in multiple domain environment, which can be put in DL - domain local group to which you assign P - permissions.

In single domain forest I would use A-G-P.

<div>
Thank you Toni.<br />
But we have another two two-way-trusted domains in respective separate forest. (Each domain is in a different forest.) Each domain could share its resources.<br />
In that case, would you consider ours a single domain?
</div>


Thank you Toni.
But we have another two two-way-trusted domains in respective separate forest. (Each domain is in a different forest.) Each domain could share its resources.
In that case, would you consider ours a single domain?

<div>
<div class="content wysiwyg-content">
I was told to use a &quot;Domain Local&quot; type rather than &quot;Global&quot; type for domain access control. Since the built-in &quot;Users&quot; account is a Domain Local type while &quot;Domain Users&quot; a Global, shall I use the built-in &quot;Users&quot; instead of the &quot;Domain Users&quot; for access control in the local domain?
</div>
</div>


I was told to use a "Domain Local" type rather than "Global" type for domain access control. Since the built-in "Users" account is a Domain Local type while "Domain Users" a Global, shall I use the built-in "Users" instead of the "Domain Users" for access control in the local domain?

Shall I use the builtin &quot;Users&quot; instead of &quot;Domain Users&quot; to assign permission to resources?

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Shall I use the builtin &quot;Users&quot; instead of &quot;Domain Users&quot; to assign permission to resources?

Shall I use the builtin "Users" instead of "Domain Users" to assign permission to resources?