A. Three types of groups are available in Windows 2000 and later domains.

  • Global--This group type can contain user and computer accounts from the group's domain. If you set the domain level to Win2K native or later, global groups can contain other global groups from the local domain.
  • Domain local--This group type exists only on domain controllers (DCs) and is used to assign permissions to a DC's resources (for member servers, you'd use the standard local group type). Domain local groups can contain users and global groups from any domain in the forest. If you set the domain level to Win2K native or later, domain local groups can contain other domain local groups and universal groups.
  • Universal--This group type is available only in Win2K native mode and later and belongs to the forest rather than to a specific domain. As a result, universal groups can contain users and global groups from any domain and other universal groups. You can give universal groups access to any resource in any domain.

Take care when using universal groups because Active Directory (AD) stores them in the Global Catalog (GC). Any change that you make to a universal group requires replicating the entire contents of the group to all GCs in the forest (in Windows Server 2003 forest mode, only the changes replicate to the GCs, which requires less replication traffic). Therefore, the best policy is to place global groups only in a universal group to minimize any changes to the universal group membership.