Hello All,I am studying for my MCSE. I am trying to make sure I grasp the latest chapter I am regarding groups and the explanation about domains. I do apologize if these are stupid questions bout i would appreciate any feed back that you can provide.Domain Local, Universal, and Global Groups.This is what i understand a domain to be.A domain is basically a group of computer that is managed through active director and a forest is a group of domains and a tree is a group of forest.A Global Group is a security or distribution group that can be used inside any domain within the forest.A Universal Group is a security or Distribution is the same thing it sounds like so that is where I am having trouble.A Domain Local is a security or distribution group that can only be used within its domain.I understand what a security group and a distribution group is. Security group basically gives a user rights to do stuff on the network and u need global or universal group if that user wanted to lets say write a file to the N drive that happens to be in another office which was in the same forest but in a different domain. Distribution just has to do with a users email I take it. Is this a pretty good understanding of what is going on if now i would appreciate any kind of help to better get a grasp on this stuff.

i am sorry i should of posed this in training i appologize for that

Hi, To better understand the difference of groups, firstly, I think you should distinguish the scope of these groups. Each security and distribution group has a scope that identifies the extent to which the group is applied in the domain tree or forest. There are three different scopes: universal, global, and domain local. Groups with universal scope can have as their members groups and accounts from any Windows 2000 domain in the domain tree or forest and can be granted permissions in any domain in the domain tree or forest. Groups with universal scope are referred to as universal groups. Groups with global scope can have as their members groups and accounts only from the domain in which the group is defined and can be granted permissions in any domain in the forest. Groups with a global scope are referred to as global groups. Groups with domain local scope can have as their members groups and accounts from a Windows 2000 or Windows NT domain and can be used to grant permissions only within a domain. Groups with a domain local scope are referred to as domain local groups. If you have multiple forests, users defined in only one forest cannot be placed into groups defined in another forest, and groups defined in only one forest cannot be assigned permissions in another forest. For more information, please visit: Examining Windows 2000 Group http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgbf_upg_jcik.mspx?mfr=true Group scope http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_adgroups_3groupscopes.htm

Note: I'm re-posting my reply to your post in the Training forum.... =)=================================You have mixed up your trees and forests. And a bit more.A domain can have, not just computers, but different types of objects as well. Basically, a domain is a collection of objects sharing a common directory database (active directory), share the same namespace, and defined security policies and relationships.An example of a domain is microsoft.com.A tree, on the other hand, is a group of domains connected together through transitive, bidirectional trust, sharing a common schema, configuration, global catalog and a contiguous namespace. The technet.microsoft.com, msdn.microsoft.com and microsoft.com domains form a domain tree (technet.microsoft.com and msdn.microsoft.com being child domains of microsoft.com).A forestis a group of one or more Active Directory trees that trust each other (transitive bidirectional trust relationships) andsharing a common schema. When a forest is comprised by multiple trees, the trees do not share a contiguous namespace. For example, the domain tree microsoft.com and msn.com may not share the same contiguous namespace but are in the same forest as they share the same schema and have established trust relationships.On the topic of users and groups, the following Technet articles should provide you with a clear understanding of the scopes, types and their differences:Understanding User and Group Accounts:http://technet.microsoft.com/en-us/library/bb726978.aspxUnderstanding Groups:http://technet.microsoft.com/en-us/library/cc776995.aspxGroup Scope:http://technet.microsoft.com/en-us/library/cc755692.aspxRegards,Salvador Manaois III MCSE MCSA CEH MCITP | Enterprise/Server Admin Bytes & Badz : http://badzmanaois.blogspot.com