Dear all, I have here a complicated questions, regarding the Active Directory Groups – in terms of Group Scope . I have here one forest, with multiple domain trees as following :- 1- XYZ.COM 2- A.XYZ.COM 3- B.XYZ.COM 4- C.XYZ.COM 5- TEL.COM 6- SA.TEL.COM 7- UK.TEL.COM And each one of the domains ( 1-4 ) are trusting each others . Each one of the Domains ( 5-7 ) are trusting each others. Domain ( XYZ.COM ) are Trust ( TEL.COM ). Now the questions needs to be corrected if I was wrong are the following :- 1- We have a printer called PRIN1, located on ( XYZ.COM ) and it is under this domain , we want to let some type of user in this domain only ( XYZ.com ) to access ( PRIN1 ) only, while we don’t want other users to access ( PRIN1 ) and be able to print. We configured a Group called ( GPRIN1 ) and it is scope is ( Domain Local Group ) , and we put under the ( Member ) TAB, all the users who required access to print on the Printer ( PRIN1 ), and under the TAP ( MEMBER OF ), we did not ADD anything. A) My question is, are we make it true in terms of ( Domain Local Group ) ? or not ? 2^nd question is including two parts as following:- First Part we have a printer called ( PRIN2 ) , located on ( A.XYZ.COM ) , and we want some specific users in Domain ( XYZ.COM ) to be able to print on ( PRIN2 ) only which is located on ( A.XYZ.COm ) . we asked the Admin in ( XYZ.COM ) to create a group called ( G1 ) and it is scope is ( Global Group ) , and add all the users who want them to be able to print on ( PRIN2 ) , under TAP ( MEMBERS ) only . under the TAP ( MEMBER OF ), we did not ADD anything. Part 2, the users on ( A.XYZ.COM ), want to be able to Print on ( PRIN2) as well, so we asked the admin of ( A.XYZ.COM ) to make a group name it ( DL1 ) and under the TAP (Member ), we asked him to add all the users from his local domain ( A.XYZ.COM ) and also he should put the Global Group of domain ( XYZ.COM ) which it is name is ( G1 ) under it. My question here, is Part 1 & Part 2 are corrected , or not ? But, I did not use any Universal Group. My 3^rd question is, when I can use it ? ------------------------------------ Please help me to understand it and what we did is correct or not.

The correct use of groups makes it a whole lot easier to manage resources. The combination of domain local and global groups can be used to achieve this goal. Users in the same domain are added to global groups. Global groups become members of Domain Local groups. Permissions and access to resources are added to Domain Local groups. Once the groups are all established, you simply need to add/remove users from the global groups. Understanding Active Directory Group Types and Scopes http://www.anitkb.com/2010/05/understanding-active-directory-group.html Visit: anITKB.com, an IT Knowledge Base.

Hi , You have to first create Domain Local group and add the Universal group to the domain local group, even though you can create user accounts under domain local group it is not advisory. Universal group enables you to provide access to users in multi-domain environment. so typically you can hav e domain local group --> universal group | global group.