As an IT administrator, one of the most common tasks you are involved in is administering security groups in Active Directory. As with all things, keeping your security groups simple is always best but sometimes (especially in larger environments) it is important to use groups of differing scopes or ‘visibility’ to allow or disallow certain groups or objects to become members, etc.
A security group’s scope determines to what extent a group can be applied in the domain or forest. Sometimes remembering all the details of each scope can be difficult so here’s a great table which summarizes each scope in terms of which security objects can be listed as members, where the group can be assigned permissions and what other scopes the group can be converted to.
Group scope | Group can include as members… | Group can be assigned permissions in… | Group scope can be converted to… |
Universal |
|
Any domain or forest |
|
Global |
|
Member permissions can be assigned in any domain | Universal (as long as it is not a member of any other global groups) |
Domain local |
|
Member permissions can be assigned only within the same domain as the parent domain local group | Universal (as long as no other domain local groups exist as members) |
source: http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx