AD DS - Domain Local, Global and Universal Group

Domain-local groups

Use domain-local groups to manage access to resources or to assign management responsibilities (rights) within the domain. Domain-local groups can include any user in the forest. They can also include users and groups from trusted forests and domains.

The default Builtin container at the domain level includes many domain-local groups. Some of the most important are Account Operators,Administrators, Backup Operators, Print Operators, and Server Operators.

Global Groups

Use global groups to collect similar users

Global groups are primarily used to consolidate users who have similar characteristics. For example, global groups are often used to consolidate users who are part of a department or geographic location.  The Users container has several interesting global groups including Domain Admins, Domain Computers and Domain Users.

Universal Groups

Universal groups span multiple domains

Universal group are used primarily in multi-domain networks because they combine the characteristics of both domain-local groups and global groups. Properties of universal groups are propagated to the global catalog, and are made available across the enterprise network on all domain controllers that host the global catalog role. This makes universal groups’ membership lists more accessible, which is useful in multi-domain scenarios. For example, if a universal group is used for email distribution purposes, the process for determining the membership list typically is quicker in distributed multi-domain networks.

The default Users container has several universal groups including Enterprise Admins, and Schema Admins.