The scope of a group determines where in the Active Directory network we can use the group to assign permissions to the group. There are three group scopes and they are domain local, global, and universal. The differences between these are listed below.
Group Scope |
Group can include as members |
Group can be assigned permissions in |
Domain Local |
User Accounts from any domain
Global groups from any domain
Universal groups from any domain
Domain local groups but only from the same domain as the parent domain local group |
Member permissions can be assigned only within the same domain as the parent domain local group |
Global
|
User Accounts from the same domain as the parent global group
Global groups from the same domain as the parent global group |
Member permissions can be assigned in any domain |
Universal
|
User Accounts from any domain within the forest in which this Universal Group resides
Global groups from any domain within the forest in which this Universal Group resides
Universal groups from any domain within the forest in which this Universal Group resides |
Any domain in the forest |
