Group Scope and You

Understanding Group Scope is one of the basics concepts in Systems Administration that builds a solid foundation for your technical knowledge. To understand group scopes, first we need to know some basic terms. Windows domain is a form of computer network in which all user accounts, computers, printers and other security principals, are registered with a central database located on one or more clusters of central computers known as domain controllers. Active Directory is the Windows component in charge of maintaining that central database.

Active Directory Domain Services (AD DS) is the basis of every Windows domain network. It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights. The server or the group of servers running this service is called a domain controller.

In the scope of Active Directory, a forest is a collection of domain containers that trust each other and other security services that are located in that same forest. All domain containers in a forest share a common global catalog, directory schema, and directory configuration, as well as automatic two-way trust relationships.

The scope of a group determines both the range of a group’s abilities or permissions, and the group membership. You do not assign permissions directly to individual user accounts. Instead, individuals acquire access through their roles within an organization, which helps to edit large and frequently changing number of resource permissions and user rights assignments when creating, modifying, or deleting user accounts. Storing roles and permissions in a centralized database or directory service simplifies the process of confirming and controlling role memberships and role permissions.

There are four group scopes:

Local — You use this type of group for stand-alone servers or workstations, on domain member servers that are not domain controllers, or on domain member workstations. Local groups are truly local, which means that they are available only on the computer where they exist. The important characteristics of a local group are:

  1. You can assign abilities and permissions on local resources only, meaning on the local computer.

2. Members can be from anywhere in the AD DS forest, and can include:

  • Any security principals from the domain: users, computers, global groups, or domain local groups.
  • Users, computers, and global groups from any domain in the forest.
  • Users, computers, and global groups from any trusted external domain.
  • Universal groups defined in any domain in the forest.

Domain local — You use this type of group to manage access to resources or to assign management responsibilities (rights). Domain local groups exist on domain controllers in an AD DS forest, and the group’s scope is localized to the domain in which they reside. The important characteristics of domain-local groups are:

  1. You can assign abilities and permissions on domain-local resources only, which means on all computers in the local domain.

2. Members can be from anywhere in the AD DS forest, and can include:

  • Any security principals from the domain: users, computers, global groups, or domain local groups.
  • Users, computers, and global groups from any domain in the forest.
  • Universal groups defined in any domain in the forest.

Global — You use this type of group primarily to consolidate users who have similar characteristics. For example, global groups are often used to pool users who are part of a department or geographic location. The important characteristics of global groups are:

  1. You can assign abilities and permissions anywhere in the forest.

2. Members can be from the local domain only, and can include:

  • Users, computers, and global groups from the local domain.

Universal — You use this type of group most often in multi-domain networks because it combines the characteristics of both domain-local groups and global groups. The important characteristics of universal groups are:

  1. You can assign abilities and permissions anywhere in the forest, as with global groups.

2. Members can be from anywhere in the AD DS forest, and can include:

  • Users, computers, and global groups from any domain in the forest.
  • Universal groups defined in any domain in the forest.

Universal group properties are extended to the global catalog, and are made available across the enterprise network on all domain controllers that host the global catalog role. This makes universal groups’ membership lists more accessible, which is useful in multi-domain scenarios. A good example would be if a universal group is used for email distribution purposes, the process for determining the membership list typically is quicker in distributed multi-domain networks. This visual defines the group scope scenario.

*20410-Installing and Configuring Windows Server 2012 — Microsoft

The table visually explains the Group Scope matrix and I hope this helps you understand the role of scopes in the Active Directory Domain Services world. Understanding Group Scopes will help you define and manage access, manage directory objects, and consolidate groups that span domains and sets a good foundation for a career in Systems Administration.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.