There was an unfortunate layout error in Active Directory, 4th Edition which caused the tables in Chapter 2 which explain group nesting to have the column headings over the wrong columns. This of course changes the meaning and makes the tables less than helpful. I’ve gone ahead and pasted the tables and captions below with the correct column headings.
| Can contain domain local | Can contain domain global | Can contain universal | |||||
|---|---|---|---|---|---|---|---|
| Scope | Type | Distribution groups | Security groups | Distribution groups | Security groups | Distribution groups | Security groups |
| Domain local | Distribution groups | Yes | Yes | Yes | Yes | Yes | Yes |
| Security groups | Yes | Yes | Yes | Yes | Yes | Yes | |
| Domain global | Distribution groups | No | No | Yes | Yes | No | No |
| Security groups | No | No | Yes | Yes | No | No | |
| Universal | Distribution groups | No | No | Yes | Yes | Yes | Yes |
| Security groups | No | No | Yes | Yes | Yes | Yes | |
| Group scope | Can contain users and computers from | Can contain domain local groups from | ||
| Same domain | Different domain | Same domain | Different domain | |
| Domain local groups | Yes | Yes | Special | No |
| Domain global groups | Yes | No | No | No |
| Universal groups | Yes | Yes | No | No |
Table 2-7. Restrictions on group membership based on group scope
| Group scope | Can contain domain global groups from | Can contain universal groups from | ||
| Same domain | Different domain | Same domain | Different domain | |
| Domain local groups | Yes | Yes | Yes | Yes |
| Domain global groups | Special | No | No | No |
| Universal groups | Yes | Yes | Yes | Yes |
Table 2-8. Restrictions on group membership based on domain