Active Directory Group Scope and Group Types

Active Directory Group Scope and Group Types tutorial

In this article we will talk about two Active Directory features, Group Scope and Group Types. We will see what are their main functionality and why these things are important within an AD infrastructure. Each of these features have one attribute which identifies the effect area of the group which in AD is called a group scope. There are three scope types available in Active Directory: Universal, Global and domain local.

This may sound a bit confusing now but, I will explain each scope type and hopefully once you’ll have an overall picture of this mechanism, things may be clear.

   You may already know by now that there are two group types in AD: security and distribution groups. Groups are used to simplify object management within the Active Directory domain or forest. This is done by creating groups which are containers for multiple objects.
 We will talk a bit about each of these two group types:

Group Types

Security Groups
   – their purpose is to manage permissions on domain objects. With security groups you can set user rights within the domain (for example assigning a user as a Domain Admin) thus inheriting permissions from the security group. You can also use security groups to set permissions on specific resources. For example when adding a security group in the DACLs (discretionary access control lists) of a shared folder. 
Distribution groups
– are used with e-mail applications to deliver a message to multiple recipients. Note that this is the only purpose of distribution groups and cannot be assigned permissions.
Note that a distribution group and be converted to a security group at any time and vice versa.

Group Scope


   Once you’ve created a Universal Group, you can add accounts, global groups and universal groups from any domain within the AD forest. You can set permissions to universal groups in any domain or forest. As long as the group does not contain any other universal group it can be converted to a global group or a domain local. Because these groups have the biggest coverage, they are used when replicating objects between several domains.


   This group type has a lower coverage than universal groups. You can add accounts and global groups that are part of the same domain as the parent global group. Unlike universal groups, you can set permissions on global groups in any domain and not in any forest as well. If a global group is not included in any other global group, it can be converted to a universal group. Global groups are commonly used when interacting with objects that are changing frequently such as accounts or computers. Note that global groups can be modified safely without generating traffic to the GC (global catalog) because these groups are not propagated outside their own domain.

Domain local

   Can include universal groups, global groups and accounts from any domain or other domain local groups as the parent group. Permissions can be set only in the same domain as the parent domain local group. As long as there are no other domain local groups included you can change a domain local group to a universal group but not to a global group. There groups are used when managing objects within a single domain.
Hope you’ve understood the principles behind group types and group scope, for any misunderstandings please submit a comment in my dedicated section. Wish you all the best and stay tuned for the following articles from IT training day.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s