In the Windows Server Hybrid Core Infrastructure objectives for Active Directory group design, group scope and type determine valid membership and usage. The study guidance for group scopes states that a Domain Local group is used to assign permissions in its own domain and “can contain accounts, computer objects, global groups from any domain, and universal groups; it can also contain other domain local groups from the same domain only.” Security-type restrictions also apply: “Security groups can contain only security principals; distribution groups cannot be nested into security groups for access control.”

Applying these rules to Group3 (contoso.com Domain Local Security): it can accept security groups of compatible scopes. From the lists, Group1 (contoso.com Universal Security) and Group2 (contoso.com Global Security) are valid. Distribution groups (Group4, Group5, Group6) are not valid members of a security group used for authorization. Therefore, Group3 ⇒ Group1 and Group2 only.

For Group5 (canada.contoso.com Global Distribution), the scope rule for Global groups is: “Global groups can include user accounts and other global groups from the same domain only; they cannot include universal or domain local groups.” Hence, the only eligible group from the same domain and scope is Group4 (canada.contoso.com Global Distribution). Group6 is domain local (invalid), and cross-domain globals (Group2) are not permitted. Therefore, Group5 ⇒ Group4 only.