Global groups are used to assign permissions to network resources throughout the forest. They are most often used to logically organize user and computer accounts, sometimes based on departments or business functions.

A global group can only contain members from the domain in which it was created. For example, if you create a global group called Marketing in your domain, the Marketing group can only contain members from within this domain. Once a global group is created, it can cross domains and be granted permissions to network resources located in other domains in the forest.

Once Active Directory is installed, several built-in global groups are created and can be viewed in the Users folder within the Active Directory Users and Computers snap-in.

• Cert Publishers: Members of this group have the right to publish certificates for users and computers.
• DnsUpdateProxy: Members of this group have the right to perform dynamic updates on behalf of other clients.
• Domain Admins: Members of this group have full control throughout the domain.
• Domain Computers: All computers and servers added to the domain become a member of this group.
• Domain Controllers: All domain controllers within the domain are members of this group.
• Domain Guests: All domain guests are members of this group.
• Domain Users: All user accounts created become a member of the Domain Users group.
• Enterprise Admin: Members of this group have full control to all domains within the forest.
• Group Policy Creator Owner: Members of this group have the right to modify group policies within the domain.
• Schema Admins: Members of this group have the right to modify the Schema.