Unlike group types, which are fairly simple to understand, group scopes can be frustrating to those new to working with Windows Server and Active Directory. The scope of the group identifies the extent to which the group is applied throughout the domain tree or forest. There are four group scopes:
Local groups
Local groups can contain user accounts from the local machine, user accounts from the domain the local machine is joined to, or user accounts from any trusted domains of the domain the machine is joined to. Only local groups can manage permissions for local resources (local to a single machine).
Domain local groups
Domain local groups can include other groups and user/computer accounts from Windows Server domains. Permissions for only the domain in which the group is defined can be assigned to domain local groups.
Global groups
Global groups can include other groups and user/computer accounts from only the domain in which the group is defined. Permissions for any domain in the forest can be assigned to global groups.
Universal groups
Universal groups can include other groups and user/computer accounts from any domain in the domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to universal groups.