Global groups can only contain groups and accounts from the domain in which
it resides. You would need to you a domain local group since it can contain
members from other domains. I've pasted the group scope info from Windows
2003, the same rules apply in Windows 2000. This info is available in Help.
Search on global group scope and you should find a topic entitled "Group
Scope"
Group scope
Groups, whether a security group or a distribution group, are characterized
by a scope that identifies the extent to which the group is applied in the
domain tree or forest. There are three group scopes: universal, global, and
domain local.
a.. Members of universal groups can include other groups and accounts from
any domain in the domain tree or forest and can be assigned permissions in
any domain in the domain tree or forest.
b.. Members of global groups can include other groups and accounts only
from the domain in which the group is defined and can be assigned
permissions in any domain in the forest.
c.. Members of domain local groups can include other groups and accounts
from Windows Server 2003, Windows 2000, or Windows NT domains and can be
assigned permissions only within a domain.
The following table summarizes the behaviors of the different group scopes.
Universal scope Global scope Domain local scope
When the domain functional level is set to Windows 2000 native or
Windows Server 2003, members of universal groups can include accounts,
global groups, and universal groups from any domain. When the domain
functional level is set to Windows 2000 native or Windows Server 2003,
members of global groups can include accounts and global groups from the
same domain. When the domain functional level is set to Windows 2000 native
or Windows Server 2003, members of domain local scope can include accounts,
global groups, and universal groups from any domain, as well as domain local
groups from the same domain.
When the domain functional level is set to Windows 2000 mixed,
security groups with universal scope cannot be created. When the domain
functional level is set to Windows 2000 mixed, members of global groups can
include accounts from the same domain. When the domain functional level is
set to Windows 2000 native or Windows Server 2003, members of domain local
groups can include accounts and global groups from any domain.
When the domain functional level is set to Windows 2000 native or
Windows Server 2003, groups can be added to other groups and assigned
permissions in any domain. Groups can be added to other groups and assigned
permissions in any domain. Groups can be added to other domain local groups
and assigned permissions only in the same domain.
Groups can be converted to domain local scope. Groups can be converted
to global scope, as long as no other universal groups exists as members.
Groups can be converted to universal scope, as long as the group is not a
member of any other group with global scope. Groups can be converted to
universal scope, as long as the group does not have as its member another
group with domain local scope.
When to use groups with domain local scope
Groups with domain local scope help you define and manage access to
resources within a single domain. These groups can have as their members:
a.. Groups with global scope
b.. Groups with universal scope
c.. Accounts
d.. Other groups with domain local scope
e.. A mixture of any of the above
For example, to give five users access to a particular printer, you could
add all five user accounts in the printer permissions list. If, however, you
later want to give the five users access to a new printer, you would again
have to specify all five accounts in the permissions list for the new
printer.
With a little planning, you can simplify this routine administrative task by
creating a group with domain local scope and assigning it permission to
access the printer. Put the five user accounts in a group with global scope
and add this group to the group having domain local scope. When you want to
give the five users access to a new printer, assign the group with domain
local scope permission to access the new printer. All members of the group
with global scope automatically receive access to the new printer.
When to use groups with global scope
Use groups with global scope to manage directory objects that require daily
maintenance, such as user and computer accounts. Because groups with global
scope are not replicated outside of their own domain, accounts in a group
having global scope can be changed frequently without generating replication
traffic to the global catalog. For more information about groups and
replication, see How replication works.
Although rights and permissions assignments are valid only within the domain
in which they are assigned, by applying groups with global scope uniformly
across the appropriate domains, you can consolidate references to accounts
with similar purposes. This will simplify and rationalize group management
across domains. For example, in a network with two domains, Europe and
UnitedStates, if there is a group with global scope called GLAccounting in
the UnitedStates domain, there should also be a group called GLAccounting in
the Europe domain (unless the accounting function does not exist in the
Europe domain).
It is strongly recommended that you use global groups or universal groups
instead of domain local groups when specifying permissions on domain
directory objects replicated to the global catalog. For more information,
see Global catalog replication.
When to use groups with universal scope
Use groups with universal scope to consolidate groups that span domains. To
do this, add the accounts to groups with global scope and nest these groups
within groups having universal scope. Using this strategy, any membership
changes in the groups having global scope do not affect the groups with
universal scope.
For example, in a network with two domains, Europe and UnitedStates, and a
group having global scope called GLAccounting in each domain, create a group
with universal scope called UAccounting to have as its members the two
GLAccounting groups, UnitedStates\GLAccounting and Europe\GLAccounting. The
UAccounting group can then be used anywhere in the enterprise. Any changes
in the membership of the individual GLAccounting groups will not cause
replication of the UAccounting group.
The membership of a group with universal scope should not change frequently,
since any changes to these group memberships cause the entire membership of
the group to be replicated to every global catalog in the forest. For more
information about universal groups and replication, see Global catalog and
replication.
Changing group scope
When creating a new group, by default, the new group is configured as a
security group with global scope regardless of the current domain functional
level. Although changing a group scope is not allowed in domains with a
domain functional level set to Windows 2000 mixed, the following conversions
are allowed in domains with the domain functional level set to Windows 2000
native or Windows Server 2003:
a.. Global to universal. This is only allowed if the group you want to
change is not a member of another global scope group.
b.. Domain local to universal. This is only allowed if the group you want
to change does not have another domain local group as a member.
c.. Universal to global. This is only allowed if the group you want to
change does not have another universal group as a member.
d.. Universal to domain local. No restrictions for this operation.
For more information, see To change group scope.
Groups on client computers and stand-alone servers
Some group features, such as universal groups, group nesting, and the
distinction between security groups and distribution groups, are available
only on Active Directory domain controllers and member servers. Group
accounts on Windows 2000 Professional, Windows XP Professional, Windows 2000
Server, and stand-alone servers running Windows Server 2003 work the same
way as in Windows NT 4.0:
a.. Only local groups can be created locally on the computer.
b.. A local group created on one of these computers can be assigned
permissions only on that one computer.
For more information, see Default local groups.
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
