Active Directory Group Concepts

Windows 2000 Active Directory presents a number of different group options not found in the NT domain environment. The two biggest changes are the different types/scopes of groups that now exist, as well as the ability to nest groups. Group accounts for domain users are again created in Active Directory Users and Computers

First, understand that there are two types of groups: security and distribution. Distribution groups exist for the purpose of sending email, and do not have a SID. Security groups do have a SID, and as such can be used to assign permissions and rights via access control lists and policy settings.

Secondly, there are three scopes of groups: domain local, global, and universal. A quick overview of each:

Domain Local groups: domain local groups are similar to local groups in NT 4, except that they can be applied to any system within a domain, not just on the system where the group exists (since domain local groups actually reside in the AD database). These groups are usually used to assign permissions to resources.

Global groups: global groups are very similar to those found in an NT 4 domain. They are still collections of users with common needs.

Universal groups: universal groups are totally new in Windows 2000. A universal group can contain users from any domain in an AD forest. Similar to global groups, they are used as collections of users with common needs or characteristics. Only an member of the Enterprise Admins group can create a universal group.

If the option to create a Universal group is not available, this is because my domain is still in Mixed Mode. Universal groups can only be created in Native Mode. The ability to nest groups is also new to Windows 2000, and is also only available in Native Mode. Nesting refers to the ability to place a group into a group of the same type – for example placing a global group into a global group. The table below outlines group membership rules for domains in Native Mode.

Domain Local: May contain users from any domain, global groups from any domain, universal groups, domain local groups from the same domain. Can only be used to access resources in the same domain.

Global: May contain Users from same domain, global groups from same domain. Can be used to access resources in any domain.

Universal: May contain users from any domain, global groups from any domain, universal groups. Can be used to access resources in any domain.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.