Distribution Groups

• These can not be used to perform any sort of ACL (access control) or permissions, and are therefore ill-suited for anything other than to create a list of users to whom you might want to, say, email.  If in doubt, use a security group instead.

Security Groups
There are different types of security group.  Note that the type simply defines the scope and replication.

• Universal: Objects in this group type are replicated to other domain trees within the forest.  Note that global catalog servers have to replicate this information, so heavy use is not encouraged.   Can be comprised of users or groups from any domain.  See note (1).
• Global: Can only contain objects within the domain.
• Domain Local: Can contain objects from any domain, but are used to control access only to local resources.  See note (2).

(1) – In Server 2008 we now have the UGMC (universal group membership caching) feature, which can counteract some of the overhead associated with using many universal groups.  This doesn’t mean it’s okay to ignore common sense and best practises though!

(2) – Domain local is best used to control access to resources.  Consider a file share: you create a domain local group called, for example, “Sales Share”.  Now you allow the sales share read/write/whatever access.  Note that this is domain local.  Now instead of modifying the share permissions to add all the associated users/groups, you simply add the sales groups from each relevant domain as members of this group.  Now when new sales people come in and go out of the company, your work is already done.

In short:
Domain local – can come from any domain but only access local resources.
Global – can only be from this domain but can access resources in any domain.
Universal – Replicated across the forest, can be from any domain and can have access to resources in any domain.

Originally posted 2009-09-20 01:42:14.