Windows Group Types

Active Directory supports 4 types of groups: BuiltIn Domain Local Global Universal

By default most groups are created as Global Groups.

Granting Group Permissions To Trusted Domains/Forests

Universal Groups: Exist across all Domains that Trust each other.
Global Groups: Good for containing Users and Groups (and thats about it)
Domain Local Groups: Good for Delegating Control.

Example

Goal: Delegate control of password resets, across all trusted domains within one forest.

1. Create a Domain Local group named 'PasswordReset', in each domain.
2. Create a Globl Group named 'HelpDesk', in each domain.
3. Create a Universal Group named 'Enterprise Password Reset', on only one domain.
4. Make users you want to be able to reset passwords MembersOf of the 'HelpDesk' Global group, in each domain.
5. Make 'HelpDesk' on each domain a MemberOf the 'Enterprise Password Reset' Universal group.
6. Make the 'Enterprise Password Reset' Universal Group a MemberOf the 'PasswordReset' Domain Local group, on each domain.

Domain A
   (DL) PasswordReset
   (GG) HelpDesk  (MemberOf: Domain A\Enterprise Password Reset)
   (UG) Enterprise Password Reset  (MemberOf: Domain A\PasswordReset)

Domain B
   (DL) PasswordReset
   (GG) HelpDesk  (MemberOf: Domain A\Enterprise Password Reset)

Domain C
   (DL) PasswordReset
   (GG) HelpDesk  (MemberOf: Domain A\Enterprise Password Reset)

This would allow members of the HelpDesk group in any domain to reset passwords in trusted domains (A,B,C)

Group Scope

Reference

http://ss64.com/nt/syntax-groups.html

https://web.archive.org/web/20150705052045/http://networkadminkb.com/KB/a5/the-golden-rules-of-permissions-administration.aspx