Active Directory: Differences between Domain Local, Global, Universal Groups

  • Domain Local Groups: can contain users from any domain, but they can only be used to grant access to resources that belong to the same domain where the group is created.
  • Global Groups: can ONLY contain users from a single domain – no external domains. These groups can be used in any trusted external domains from the ingress direction of external (consumer) to internal (source).
  • Universal Groups: may contain other local, global, or universal groups from the same domain, and they can be used by resources in any domain in the forest with trusts. Similar to Global, only users within the local domain can be added. However, unlike Global, Universal groups can be changed frequently without causing global catalog replication.

