Active Directory Groups

After group type, you must consider group scope. In Windows 2000, there are three scopes of groups – domain local, global, and universal. An explanation of each is listed below:

Domain Local: these groups exist on domain controllers, and can be applied to any system in a domain. These groups should be used to apply permissions, similar to NT 4. The benefit is that unlike local groups from NT 4, these can all be created in Active Directory and then applied to any system. In Native Mode, domain local groups can contain Users (from any domain), Global groups (from any domain), Universal groups, and domain local groups from the same domain. Note that in Mixed mode, domain local groups can only contain global groups and users from any domain, similar to how things were in NT 4.

Global Groups: These groups are still meant as a way to group users with common needs. In Native Mode, a global group can contain users from the same domain, as well as other global groups from the same domain. In Mixed mode, a global group may only contain users from the same domain.

Universal Groups: These only exist in Native Mode, and can contain users or global groups from any domain in the entire forest. These reside on domain controllers designated as global catalog servers.

You did read the above correctly. Windows 2000 in Native mode does support group nesting, or placing global groups in global groups, for example. This is meant to provide an additional level of flexibility with respect to administration, but also the potential for confusion if groups are nested too deeply. My suggestion is to use same-scope group nesting sparingly. Also, you should note that Windows 2000 groups can also contain computer accounts – following the same rules as those listed for users above.

As far as creating groups in concerned, right-click the object in which you wish to create the group and choose New Group. Note that if the Universal group option is grayed out, that would be a good indication of a domain still in Mixed mode. To view the membership of a group, go into the properties and view the Members tab. To view the groups that this group is a member of, simply choose the Member Of tab. A discussion of each of the built-in groups, and the rights associated with them, will be looked at in the Active Directory portion of the series.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.