Distinct group forms, which are rather easy to understand, group scopes can be annoying to those to working with Windows Server 2003 and Active Directory. The range of group identifies level to which group is applied during domain tree or forest. There are four group scopes:

Local groups

Local groups can have user accounts from local machine, user accounts from domain the local machine is connected to, or user accounts from any trusted domains of the domain the machine is connected to. Only local groups can run permissions for local resources.

Domain local groups

Domain local groups contain other groups and user or PC accounts from Server 2003, 2000 Server, and NT domains. Authorizations for only domain in which group is defined can be allocated to domain local groups.

Global groups

Global groups have other groups and user accounts from domain in which group is described. Permissions for every domain in forest can be allocated to global groups.

Universal groups

Universal groups have other groups and user accounts from every domain in domain tree or forest. Authorizations for every domain in domain tree can be allocated to universal groups. These are only accessible if domain functional level is put to Windows 2000 native mode.