Windows 7 / Networking

Group Scope and Group Type

Groups created in a domain have both a group scope and a group type. You can access this in Active Directory Users and Computers by right-clicking a container and selecting New → Group.

The three group scopes are global, domain local, and universal:

Global
Global groups are commonly used to organize users (such as all the users in the Sales department with a group named G_Sales). Global groups can also contain other global groups.

Domain local Domain local groups are sometimes used in administrative models in larger domains. A domain local group commonly identifi es assigned permissions to specifi c resources. As an example, the DL_Print_ClrLaserPrinter group could be used to identify a group that is assigned print permission for a color laser printer. A domain local group typically contains one or more global groups and can also contain universal groups.

Universal Universal groups are used in multiple-domain environments. They can contain global groups from any domain and can be added to domain local groups in any domain.

Note A commonly used naming convention is to begin the group name with the group scope G_Sales is easily identified as a global group used to organize the users in the Sales group Similarly, it's common to include the permissions and resources in the domain local group DL_Print_ClrLaser- Printer identifies it as a domain local group used to grant print permission for a color laser printer.

The two group types are distribution and security:

Distribution A distribution group is used for email only. It cannot be assigned permissions.

Security A security group can be assigned permissions or used as a distribution group.

In larger domains where both global and domain local groups are used, a common strategy known as A G DL P is used. Figure below shows an example of A G DL P.

A G DL P administrative model used in larger domains

When A G DL P is used, accounts (A) are added to global groups (G). Global groups are added to domain local (DL) groups, and permissions (P) are assigned to domain local groups.

The direction of the arrows in the figure also helps to identify what can be added to a group. The arrow goes down from the accounts, indicating they can be added to global groups or domain local groups. The arrow also goes down from the global group, indicating it can be added to a domain local group.

However, a global group can't be added to a user (which admittedly sounds silly), and a local group can't be added to a global group; both of these examples go against the arrow. The arrow goes up from permissions. Permissions can be assigned to accounts or any type of group, but it's a good practice to assign permissions to groups whenever possible. When you begin assigning permissions directly to users, administration becomes more difficult.

The benefits of using domain local groups are realized only in larger domains where administrators want to manage permissions for some resources more closely. Most organizations use a simpler model of AGP where accounts (A) are placed into global (G) groups and permissions (P) are assigned to the global groups.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Windows 7 in a Domain
  2. The Domain
  3. What is Wrong with Workgroups
  4. The Domain Concept
  5. Active Directory
  6. Domain Security
  7. Joining a Domain
  8. Windows 7 Offline Domain Join
  9. Browsing the Domain
  10. Searching the Domain
  11. Custom Searches
  12. Assigning Permissions to Domain Members
  13. The Double-Thick Security Trick
  14. Creating a Test Bed
  15. Creating a Domain
  16. Installing Windows Server 2008 on vPC
  17. Configuring a Windows Server 2008 Server
  18. Promoting a Server to a Domain Controller
  19. Joining Windows 7 to a Domain
  20. Authentication vs Authorization
  21. Authentication
  22. Authorization
  23. Built-in Groups
  24. Organizing Users with Groups
  25. Group Scope and Group Type
  26. Creating Users and Groups in a Domain
  27. Using HomeGroup with a Domain-Based Computer
  28. Identifying and Resolving Logon Issues
  29. Hardware vs. Network
  30. Using Cached Credentials
  31. Password Expiration
  32. Determining Logon Context
  33. Logon Hours Compliance
  34. Restricting Computer Access
  35. Time Synchronization
  36. Understanding User Profiles
  37. Standard Profiles
  38. Roaming Profiles
  39. Implementing Roaming Profiles
  40. Mandatory Profiles
  41. Super-Mandatory User Profiles
  42. Modifying the Default User Profile
  43. Configuring Settings with Scripts
  44. Anti-Malware Software
  45. Microsoft Windows 7 Defender
  46. Third-Party Anti-malware Software