Windows has always supported groups. The model used by Windows NT 4.0 and earlier is simple compared with the group model used by Windows Server 2003 and Windows 2000. Here are the main differences between the two group models:

  • Windows 2003 and Win2K support two group types: security groups and distribution groups. NT 4.0 and earlier support only security groups.
  • Windows 2003 and Win2K support three group scopes: universal, global, and local. Windows 2003 and Win2K also support two flavors of the local group scope: domain local and system local. NT4 only supports the global and system local group scopes. The introduction of the universal scope is a direct consequence of the Active Directory (AD) Global Catalog (GC), which is a domain controller (DC) feature that makes the AD objects and a subset of their attributes in a domain available to the DCs of the other domains in a Windows 2003 or Win2K forest.
  • In Windows 2003 and Win2K, you can change a group's type and scope after the group is created. In NT 4.0 and earlier, changing the type and scope isn't possible.
  • In Windows 2003 and Win2K, you can nest groups of the same scope and type. NT 4.0 and earlier supports only the nesting of global groups into system local groups.