Universal groups, global groups, local groups

Post by Lisa Lomba

If I connect/bind to a domain add want to programatically
add a universal group to a user on that domain, will that

Can adding and removing of members of aniversal group only
be done on a catalog server?

Can I add a user to local groups, global groups and
universal groups from one connection to a domain?

What is the scope of an universal group?
of a global group?
of a local group?

And how does adding a removing these types of groups from
a user's group membership differ?


Universal groups, global groups, local groups

Post by Richard Mu

lso, adding and removing users from groups is the same for all types. The
only difference is that add/removing from Universal groups can involve more
network traffic and replication issues. Best practice to reduce replication
traffic is to only make groups members of Universal groups. A summary:

Global Groups
Mixed Mode: user accounts from same domain
Native Mode: user accounts and global groups from same domain
Member of
Mixed Mode: Domain Local groups
Native Mode: Universal and domain local groups in any domain
and global groups in same domain
Scope - Visible in own domain and all trusted domains
Permissions (can be assigned permission for) - All domains in forest

Domain Local Groups
Mixed Mode: users and global groups from any domain
Native Mode: users, global groups, and universal groups from any domain
in the forest, and domain local groups from the same domain
Member Of
Mixed Mode: None
Native Mode: Domain local groups in same domain
Scope - Only visible in own domain
Permissions - Domain in which the group exists

Universal Groups
Mixed Mode: Cannot have Univeral groups
Native Mode: users, global groups, and other universal groups
from any domain in forest
Member Of
Mixed Mode: NA
Native Mode: Domain local and universal groups in any domain
Scope - Visible in all domains in forest
Permissions - All domains in forset.

When groups are created, all types are identical, except for the value of
the groupType attribute, which indicates whether the groups is Domain Local,
Global, Built-in, or Universal. groupType also indicates if the group is a
security or distribution group.

