Skip to main content
Support

Group Scope & Delegation

Understand Global, Universal, and DomainLocal groups

Intermediate~14 mincontoso.com
Group Scope & Delegation
PS C:\>
Domain
Global
DomainLocal
User
Disabled

Step 1 of 8

Group Scope Matters

AD has three group scopes that control where a group can be used and what it can contain:

  • Global — can only contain objects from the same domain; can be used anywhere in the forest
  • Universal — can contain objects from any domain; can be used anywhere; replicated to the Global Catalog
  • DomainLocal — can contain objects from any domain; can only be used in the local domain

The best-practice nesting strategy is IGDLA: Identities → Global groups → DomainLocal groups → Access.

Click "Continue" to explore.

Objectives

  • Enumerate Group Scopes
  • Delegated Server Access
  • IT Support Team
  • Universal Scope — Enterprise Admins
  • Spot Stale Membership
  • Confirm the Risk
Back to all labs
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org