In Active Directory, there are two types of groups:
Each type of group has a scope that determines the following:
Each type of group can have one of the following scopes:
Scope |
Member Location |
Permissions |
Group Membership in Other Groups |
---|---|---|---|
Universal |
Group members can be Universal groups, Global groups, and users from any domain in the forest. |
Can be used to grant access in any domain in a forest. |
Can be members of Domain Local and Universal groups in any domain in the forest. |
Global |
Group members can be Global groups and users located in the same domain as the group. |
Can be used to grant access in any domain in a forest. |
Can be members of Global, Domain Local, and Universal groups in any domain in the forest. |
Domain Local |
Group members can be Universal groups, Global groups, and users from any domain in the forest. Members can also be Domain Local groups from the same domain. |
Can only be used to grant access to the domain where the group resides. |
Can only be a member of other Domain Local groups within the domain. |
Group type and scope are not required attributes; however, if you do not specify group type and scope, Active Directory creates a security group with global scope.
To create groups of a different type, you can create a custom logical attribute handler. See the chapter on Logical Attributes in the Programming Guide for Java.
Once you have configured these Active Directory features, proceed to the next step: Create an Admin Task.
Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |