Active Directory Group types: universal groups, global groups, domain local groups
I had been demonstrating how to manage the creation and automation of Active Directory security groups and distribution lists for months before I realized that I had no idea what the differences were between the three types of Active Directory groups: universal groups (UG), global groups (GG), and domain local groups (DLG). I asked around, poked around the web and found that nobody is really 100% clear on it. Or at least the ones that would talk to me.
With a little work I dug out enough info for this cheatsheet on Active Directory groups:
can contain users and groups (global and universal) from any domain in the forest. Universal groups do not care about trust. Universal groups can be a member of domain local groups or other universal groups but NOT global groups.
can contain users, computers and groups from same domain but NOT universal groups. Can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.
Domain Local Group:
Can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain. Can be a member of any domain local group in the same domain
The short answer is that domain local groups are the only groups that can have members from outside the forest. And use global groups if you have trust, universal groups if you don’t care about trust.
Disclaimer: this might still be wrong. But nobody has disputed it yet; thankfully, with good comments, I can always edit the blog post if I have something wrong.