From LedHed's Wiki
Active Directory supports 4 types of groups: BuiltIn Domain Local Global Universal
By default most groups are created as Global Groups.
Contents
Granting Group Permissions To Trusted Domains/Forests
Universal Groups: Exist across all Domains that Trust each other.
Global Groups: Good for containing Users and Groups (and thats about it)
Domain Local Groups: Good for Delegating Control.
Example
Goal: Delegate control of password resets, across all trusted domains within one forest.
- Create a Domain Local group named 'PasswordReset', in each domain.
- Create a Globl Group named 'HelpDesk', in each domain.
- Create a Universal Group named 'Enterprise Password Reset', on only one domain.
- Make users you want to be able to reset passwords MembersOf of the 'HelpDesk' Global group, in each domain.
- Make 'HelpDesk' on each domain a MemberOf the 'Enterprise Password Reset' Universal group.
- Make the 'Enterprise Password Reset' Universal Group a MemberOf the 'PasswordReset' Domain Local group, on each domain.
Domain A (DL) PasswordReset (GG) HelpDesk (MemberOf: Domain A\Enterprise Password Reset) (UG) Enterprise Password Reset (MemberOf: Domain A\PasswordReset)
Domain B (DL) PasswordReset (GG) HelpDesk (MemberOf: Domain A\Enterprise Password Reset)
Domain C (DL) PasswordReset (GG) HelpDesk (MemberOf: Domain A\Enterprise Password Reset)
This would allow members of the HelpDesk group in any domain to reset passwords in trusted domains (A,B,C)
Group Scope
Source Group Type | Relationship | Target Group Type | Local Domain | Trusted Domain | |
---|---|---|---|---|---|
Domain Local | Members | Domain Local | Yes | No | |
Domain Local | Members | Global | Yes | Yes | |
Domain Local | Members | Universal | Yes | Yes | |
Global | Members | Domain Local | No | No | |
Global | Members | Global | Yes | No | |
Global | Members | Universal | No | No | |
Universal | Members | Domain Local | No | No | |
Universal | Members | Global | Yes | No | |
Universal | Members | Universal | Yes | No |
Source Group Type | Relationship | Target Group Type | Local Domain | Trusted Domain | |
---|---|---|---|---|---|
Domain Local | MemberOf | Domain Local | Yes | No | |
Domain Local | MemberOf | Global | No | No | |
Domain Local | MemberOf | Universal | No | No | |
Global | MemberOf | Domain Local | Yes | Yes | |
Global | MemberOf | Global | Yes | No | |
Global | MemberOf | Universal | Yes | No | |
Universal | MemberOf | Domain Local | Yes | Yes | |
Universal | MemberOf | Global | No | No | |
Universal | MemberOf | Universal | Yes | No |