This article compares using domain local groups and domain global groups in the Active Directory directory service for a Microsoft BizTalk Server 2004 server group.
A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.
A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.
A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not supported.
If you plan to use one domain for all your servers and no Wide Area Network (WAN) exists, we recommend that you use domain local groups. For a local domain, the global catalog is not used.
Note The Electronic Data Interchange (EDI) adaptor is not designed to be configured for domain local groups. It must be configured for domain global groups.
If you plan to have a multiple-domain topology, and the following conditions are true, we recommend that you use domain global groups:
The SQL Server-based server is in a data center.
You have a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).
For information about Windows Group and User Accounts in BizTalk Server, visit the following Microsoft Developer Network Web site: