• Creating a Structure for File Permissions and Group Memberships - recommended reading and best practice!

Local or Machine Local Groups

• You can't insert local groups into local groups
• A local group can contain any of the three domain-based groups - global, domain local and universal

Universal Groups

• Universal are not available in 2000 mixed mode, or 2003 with a functional level of 2000 mixed.

Best Practice for Multiple Forests

This information was taken from the following MS whitepaper: Additional Configuration for Functionality Across Forests (Multiple Forest Considerations in Windows 2000 and Windows Server 2003)

• To represent the sets of users who need access to the same type of resources, create role-based in every domain and forest that contains these users.
• Create universal that correspond to the .
• Add multiple to a universal group so that you can assign permissions to related resources in multiple forests.
• Create resource-based in every domain for the resources in that domain that need to be accessed from outside the forest.
• Add universal (or in mixed-mode domains) from all such forests to the across the organization, and use the to assign permissions on the resources within the respective domains.
• When a new user account needs access to a resource in a different forest, add the account to the respective group. When a new resource needs to be shared across forests, add the appropriate group to the ACL for that resource. In this way, access is enabled for resources on the basis of group membership.