Hi All,
I was studying (now passed) for the Microsoft Identity with Windows Server 2016 (70-742) exam. When I got to studying Group Scopes, I found the group scope table within the Active Directory Security Groups article from Microsoft unclear and very hard to memorise.
I am a visual learner and tried to find a diagram to depict the scopes of each group. Unfortunately I was unable to find one so had to create my own. This has been ready helpful to me for memorising Active Directory Security Group Scopes and thought it might help others.
NOTE: There is a difference between the Scope conversion from Universal to Domain Local in my diagram versus the Microsoft Documentation. The Microsoft documentation for Universal Group conversion says “Can be converted to Domain Local scope” (i.e. no restrictions), however another user pointed out (see feedback at bottom of article) that this is wrong. I have tested this in my own lab and a Universal group can ONLY be converted to Domain Local scope if the Universal group is not a member of any other Universal groups.
Group Scope Diagram
The diagram below shows the membership a group can contain, where it can be used to assign permissions and possible scope conversions.
Group Scope Descriptions
Below I have listed the scope of Global, Universal and Domain Local groups. I have included a screenshot of what you see when you select the Location to search when adding members to the respective group type. Again, this helped me visualise where you can add members from.
Global Group Scope
Can Include As Members:
- Accounts from the same domain
- Global Groups from the same domain
Can Be Assigned Permissions In:
- Any domain in the same forest, or trusting domains or forests
Group Scope Can Be Converted To:
- Can be converted to Universal scope if the group is not a member of any other Global groups
Universal Group Scope
Can Include As Members:
- Accounts from any domain in the same forest
- Global groups from any domain in the same forest
- Universal groups from any domain in the same forest
Can Be Assigned Permissions In:
- Any domain in the same forest or trusting forests
Group Scope Can Be Converted To:
- Can be converted to Domain Local scope if the group is not a member of any other Universal groups
- Can be converted to Global scope if the group does not contain any other Universal groups
Domain Local Group Scope
Can Include As Members:
- Accounts from any domain or any trusted domain/forest
- Global groups from any domain or any trusted domain/forest
- Universal groups from any domain or any trusted domain/forest
- Domain Local groups from the same domain (as itself)
Can Be Assigned Permissions In:
- The same domain (as itself)
Group Scope Can Be Converted To:
- Can be converted to Universal scope if the group does not contain any other Domain Local groups
Disclaimer: The table provided by Microsoft is somewhat confusing in some of the terminology used, especially around group membership from different domains. I have used the Microsoft site, other blogs along with testing in my own lab to confirm where possible the information in this post and diagram is correct.
I hope this is of help to others,
Edd