Group Scope
There are three types of groups in Windows Server 2003: Universal Scope, Global Scope, and Domain Local Scope.
Universal Scope groups can includes groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any domain or forest. You can use Universal Scope groups to consolidate groups across multiple domains. For example, if you have Asia and US as two domains in your AD environment and have a global scope group, GMarketing, in each domain, you can create a UMarketing Universal Scope group which contains both of the GMarketing groups.
Universal Groups are replicated across domains, however, Global Groups inside them are not replicated. You should only use Universal Groups for groups that do not change frequently to decrease replication traffic.
Global group members can include other groups and user accounts only from the domain in which the group is defined and can be assigned permissions in any domain in the forest.
Global Groups should be used for most security functions. Global Scope groups will be your most commonly used group – containing users and computer accounts and using these groups for security access permissions. We recommend a common naming scheme among domains – for example if you have GOperations in your Asia domain, you should have the Operations group named GOperations in the US domain. Global groups do not replicate outside their own domain.
Domain Local groups include groups or accounts from Windows Server 2003, Windows 2000, or Windows NT domains and can be assigned permissions only within a domain. You can also use Domain Local groups for security access within a single domain.
Group Naming Schemes
We recommend you create a standard naming scheme for your groups. This standard can be anything you desire, in our examples, we use G, D, and U at the beginning of the group name to specify Global, Domain Local, and Universal groups. For example:
GMarketing – Marketing users Global group
UAdmins – Universal group for the system administrators
DPayroll – Domain Local group for payroll users