This article was previously published under Q231273
Windows 2000 and later extends the Microsoft Windows NT 4.0 concept of user groups by adding Universal and Distribution groups. In Windows NT 4.0, there are only Global and Local groups, and both are considered Security groups.
In Windows 2000 and later, there are two types of groups: Security and Distribution. In addition, there are three scopes: Universal, Global, and Domain Local.
Types of Groups
Security groups are used to control access to resources. They can also be used as e-mail distribution lists.
Distribution groups can be used only for e-mail distribution lists, or simple administrative groupings. These groups cannot be used for access control because they are not "security enabled."In Native-mode domains, a group type can be converted at any time. In Mixed-mode domains, a group's type is fixed at the time of creation and cannot be changed.
Types of Scope
Universal groups can be used anywhere in the same Windows forest. They are only available in a Native-mode enterprise. Universal groups may be an easier approach for some administrators because there are no intrinsic limitations on their use. Users can be directly assigned to Universal groups, they can be nested, and they can be used directly with access-control lists to denote access permissions in any domain in the enterprise.
Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise. Changes to universal groups must therefore be made only after a careful examination of the benefits of universal groups as compared to the cost of the increased global catalog replication load. If an organization has but a single, well-connected LAN, no performance degradation should be experienced, while widely dispersed sites might experience a significant impact. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely.
Global groups are the primary scope of groups into which users are placed in Mixed-mode domains. Global groups can be placed only in the security descriptors of resource objects that reside in the same domain. This means that you cannot restrict access to an object based solely on user membership in a global group from another domain.
Global group membership for a user is evaluated when that user logs on to a domain. Because global group membership is domain-centric, changes in global group membership do not impose global catalog replication throughout an entire enterprise.
In a Native-mode domain, global groups can be nested within each other. This may be useful when administrators have nested organizational units, and want to delegate Organizational Unit (OU) administrative functionality in a gracefully decreasing manner down an OU tree. In this situation, a global group tree can be used as a parallel construct, for the assignment of such decreasing privileges
Domain Local groups can be used for the direct assignment of access policies on specific resources that are not directly stored in Active Directory, (such as file server shares, printer queues, and so on).
Domain Local groups should not be used to assign permissions on Active Directory objects, because Domain Local groups cannot be evaluated in other domains, and parts of most Active Directory objects get replicated to other domains in the form of the GC. Access restrictions placed on Active Directory objects that are based on Domain Local group membership have no effect on GC queries that take place in groups other than the domain in which the Domain Local group originated.