Pretty simple.. all Domain Global groups are replicated to all GCs in the forest. Domain Local groups are replicated only to domain-level DCs. Also, Domain Local groups allow for individual members accounts (in them) from other domains, whereas Domain Global groups do not. An example of impact to GPO Administrators: There is the built-in Domain Global Group named Group Policy Creator Owners. As a Domain Global group, it cannot contain user accounts which reside in a different domain. Effectively, this means that a GPO Admin in one domain cannot easily create GPOs in a different domain (same forest) without (a) being in the domain Administrators group or (b) having a second account in that (or each separate) domain. Our security policies do not allow simple GPO Administrators either (a) or (b). Early on, we had to create a Domain Local group and provide that group the same permissions (as the global group already has) to the ..\System\Policies container and to the ..\SYSVOL\Policies folder to get around this limitation. Most of the security group filters for our GPOs are Domain Local as well. In the interest of passing on knowledge, I offer the following (it's not GPO 'specific' stuff, so, sorry ahead of time-I do hope some find it useful): Windows Restrictions on Group Membership Based upon Group Type Type Scope Can Contain Domain Local Can Contain Domain Global Can Contain Universal Distribution Groups Security Groups Distribution Groups Security Groups Distribution Groups Security Groups Domain Local Distribution Groups Yes Yes Yes Yes Yes Yes Security Groups Yes Yes Yes Yes Yes Yes Domain Global Distribution Groups No No Yes Yes No No Security Groups No No Yes Yes No No Universal Distribution Groups No No Yes Yes Yes Yes Security Groups No No Yes Yes Yes Yes Examples A Domain Local Security group can contain a Domain Global Security Group A Domain Global Security group can NOT contain a Domain Local Security Group Windows Restrictions on Group Membership Based upon Domain (Users/Computers and Domain Locals) Group Type Both Distribution and Security Groups Can Contain Users and Computers from Can Contain Domain Local Groups from The Same Domain A Different Domain The Same Domain A Different Domain Domain Local Groups Yes Yes Yes No Domain Global Groups Yes No No No Universal Groups Yes Yes No No Examples A Domain Local Security group can contain Users and Computers from a different domain A Domain Global Security group can NOT contain Users and Computers from a different domain Windows Restrictions on Group Membership Based upon Domain (Domain Global and Universal) Group Type Both Distribution and Security Groups Can Contain Domain Global Groups From Can Contain Universal Groups From The Same Domain A Different Domain The Same Domain A Different Domain Domain Local Groups Yes Yes Yes Yes Domain Global Groups Yes No No No Universal Groups Yes Yes Yes Yes Examples A Domain Local Security group can contain Universal groups from a different domain A Domain Global Security group can NOT contain Universal groups from the same domain Windows Security Group Conversion Rules Security Groups can be converted to Distribution Groups. Distribution Groups can be converted to Security Groups. A Domain Local group can be converted to a Universal group only if it is not already a member of another Domain Local group. A Domain Global group can be converted to a Universal group only if it does not contain any other Domain Global groups. A Universal group can be converted to either a Domain Local Group or a Domain Global Group. HINT Let's say that you've created a Domain Global Security group and fully populated it. Then you realize that you should have created it as a Domain Local Security group. First convert it to a Universal Security group, then convert the Universal Security group to a Domain Local Security group. Jerry Cruz | Group Policies Product Manager | Windows Infrastructure Architecture | Boeing IT Office 425-865-6755 | Mobile 425-591-6491 -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of rpo Sent: Tuesday, November 18, 2008 4:45 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: handling remote desktop hi guys, i appreciate all the suggestions. jerry your particular setup is just amazing. although since our business is only 1000 workstations in size, i think i will be sticking to a simpler setup and just use the restricted groups via gpo. on a side note, i must say that even after reading a few articles, I can't figure out the point of domain local groups vs. domain global groups. we don't use local groups here, only global. daniel.