Universal groups, global groups, local groups

Universal groups, global groups, local groups

Post by Lisa Lomba » Sun, 14 Sep 2003 00:25:53

If I connect/bind to a domain add want to programatically
add a universal group to a user on that domain, will that

Can adding and removing of members of aniversal group only
be done on a catalog server?

Can I add a user to local groups, global groups and
universal groups from one connection to a domain?

What is the scope of an universal group?
of a global group?
of a local group?

And how does adding a removing these types of groups from
a user's group membership differ?


Universal groups, global groups, local groups

Post by Richard Mu » Sun, 14 Sep 2003 03:08:25

lso, adding and removing users from groups is the same for all types. The
only difference is that add/removing from Universal groups can involve more
network traffic and replication issues. Best practice to reduce replication
traffic is to only make groups members of Universal groups. A summary:

Global Groups
Mixed Mode: user accounts from same domain
Native Mode: user accounts and global groups from same domain
Member of
Mixed Mode: Domain Local groups
Native Mode: Universal and domain local groups in any domain
and global groups in same domain
Scope - Visible in own domain and all trusted domains
Permissions (can be assigned permission for) - All domains in forest

Domain Local Groups
Mixed Mode: users and global groups from any domain
Native Mode: users, global groups, and universal groups from any domain
in the forest, and domain local groups from the same domain
Member Of
Mixed Mode: None
Native Mode: Domain local groups in same domain
Scope - Only visible in own domain
Permissions - Domain in which the group exists

Universal Groups
Mixed Mode: Cannot have Univeral groups
Native Mode: users, global groups, and other universal groups
from any domain in forest
Member Of
Mixed Mode: NA
Native Mode: Domain local and universal groups in any domain
Scope - Visible in all domains in forest
Permissions - All domains in forset.

When groups are created, all types are identical, except for the value of
the groupType attribute, which indicates whether the groups is Domain Local,
Global, Built-in, or Universal. groupType also indicates if the group is a
security or distribution group.

Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
"Jeff Jones [MSFT]" < XXXX@XXXXX.COM > wrote in message
news:O% XXXX@XXXXX.COM ...