September 24, 2010

Active Directory - Group Scope and Members

Изменить Group Scope можно в следующем порядке:
  • Global --- Universal
  • Domain Local --- Universal
  • Universal --- Global
  • Universal --- Domain Local


    1. Just want to say that "Universal groups" should be indicated for "local" and "Domain Local" rows Under "Members from a trusted external domain".
      I have just verified it with Windows 2012 R2 but I believe it is there since the beginning (Windows 2000).
      Alain Roy,Québec, Canada

    2. What is the source? Give please a link.

    3. First of all, I want to say that Microsoft did documented very well groups scope in regard to Forest trusts.
      That why I found this site searching for a simple table like the one published here.

      If you read the Windows 2000 original scope at (, it indicates that local and Domain local can have members from anywhere in the forest, from trusted domains in other forests...
      There is no indication about restrictions about groups types.

      Looking on the groups scope documented with Windows 2003 (, it's indicate that Domain local can include "Universal groups from any Domain" without restriction (as it is indicated for Universal Groups that can include members or objects "from any domain within the forest".
      Domain local Groups can include accounts, global groups and Universal groups "from any domain" (with no regard to forest).

      If you analyze how to token is made, it's explain all the restrictions on groups scope. Universal Groups membership is inserted for all the token for a user and can be used almost anywhere except for Global Groups because Grobal Groups membership is eveluated before universal groups.

      There are many sites that just paste or repeat Microsoft documentation without precising Trusted between forests. I have not found yet a site that document correctly group scope between domains with forest trust.

      You can find another table similar to this one but it has the same scope for Domain Local with members from a trusted external domain (missing universal groups) and that site is wrong for global groups with members from another domain in the same forest (it indicated members while it shoud indicate N/A).
      Also, on that site, it missing UG as member of UG.
      At the bottom, there is a comment from gafat on June 12, 2013 at 11:53 am who correctly noted these elements (but not UG Under Domain Local).

      The simplest thing to do is to test UG as member of DLG from a trusted external domain (what I did).

    4. If you read Microsoft documentation for Windows 2000 and Windows 2003, there is never limitation indicated for UG members of DLG from a trusted external domain.

      Microsoft documentation is not well documentd in regards to trusted external domain.
      Windows 2000 documentation ( indicates for Local Groups and Domain Local Groups can have members from anywhere in the forest, from trusted domains in other forests, and from trusted down-level domains.

      Windows 2003 documentation never indicate restrictions for Universal groups included under Domain Local. Domain Local can include as membes "Universal groups from any domain" (no restriction of forest).

      All the groups nesting scope is explained by to token creation process.

      Global groups can only have domain objects (Users, Computers and GG) because it is evaluadte first at logon and no other information is known at that time (no UG or no DLG or no LG).
      Global groups can be nesting in any other groups because it is evaluate first and insert to all token (except for UG when not of same forest because UG is contructed at the forest level).
      Universal groups membership is evaluated after helped by the global catalog so it can contain Users, Computers, GG and nested UG but only from the same forest (sharing the same global catalog). It cannot contain object from other forests because these information is not known at that time.

      Domain local (and local) can contain any objects from other domains and forest because it is contructed at the time a ressource is accessed. It can only contain DL groups from same domain because DLG are not known to other domains.

      I have not found yet clear information for external trusted domains (or forests) since all of the site just repeat Microsoft information not very well documented.

      I like your table because it is simple and clear.

      I have also found another table at
      But it contains 3 other mistakes (look at the last comment from gafat on June 12, 2013) - Addis is right.)

      Verifying UG nesting in Local or DLG from trusted external is simple in virtualization.

    5. You are correct. Thank you for information.