Active Directory Add Universal Group To Global Group

Used To Assign Permissions To Related Resources In Multiple Domains.

Active directory defines the following three group scopes: A global group can be used to assign permissions for access to resources in any domain. The table below was taken straight from microsoft technet and it gives the whole story of the rules for group scope:

Web Domain Local Groups Domain Local Security Groups Are Most Often Used To Assign Permissions For Access To Resources.

Objgroup.put “grouptype”, ads_group_type_global_group or ads_group_type_security_enabled Global groups can grant access to anything, including files/folders in any domain. Web if we wanted to convert the group to a global security group we would simply need to define the constant ads_group_type_global_group and then use this code:

Members Can Be Added Only From The Domain In Which The Global Group Was Created.

The illustration above shows that users (also computers) of domain a can become members of one or more universal groups of domain b. Web add user and computer accounts to a global group. Universal groups groups with universal scope are used for consolidating groups across domains.

Global Groups From The Same Domain As The Parent Global Group

Global group to universal group: In the create group screen, specify the following values: Web universal groups from any domain within the forest in which this universal group resides;

The Group Can Be Universal Or Global And I Have Error.

Web universal groups are meant to be a bridge between domains and forests, allowing global groups to be given permissions in other domains and forests with greater ease and without having to search a separate domain for the global group when adding it to a domain local group. Add the global group to a universal group. This group can have members only from it's own domain.