Active directory group scope – Domain local or Global?

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Active directory group scope – Domain local or Global? was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, active-directory, windows-server-2016, subdomain, security-groups.

CONTOSO has offices in the UK and in the US. each country has its own domain, but the domains trust each other.

I have created a group in the AD in UK but if the group is set to global I cannot add US users to the group.

As soon as I change the group scope to domain local I can allow US users into the UK group.


why is it so?

Do I have to change the group to domain local in order to change the location to CONTOSO.COM instead of and be able to search in the US domain, and add US users to this group?

enter image description here

It is working as intended, the documentation says:

Possible members

Global Group

  • Accounts from the same domain
  • Other Global groups from the same domain

Domain Local Group

  • Accounts from any domain or any trusted domain
  • Global groups from any domain or any trusted domain
  • Universal groups from any domain in the same forest
  • Other Domain Local groups from the same domain
  • Accounts, Global groups, and Universal groups from other forests and from external domains

Leave a Reply

Your email address will not be published. Required fields are marked *