Because of the creation of a cross-domain group, I revisited the most basic AD knowledge, the so-called learning the new by reviewing the past, and sorted out the results of the review. The group types in AD are divided into global, universal and local domain in terms of scope, and divided into security and distribution in terms of type. The following types are easy to understand, security is purely used for permission access, and distribution is mainly used to set up mass mailing. The previous types are a little more complicated.
According to the recommended memory of Microsoft lecturers on the forum, it can be understood in the following way
A-> G -> U -> LD -> P
A is an account, G is a global group, U is a universal group, LD is a local domain group, and P stands for authority division
The former can be a member of the latter, but not the other way around; and since groups of the same type can also be members of groups of the same type, the link above can be extended to
A->G->G->U->U->LD->LD->P
For G only, the scope of his members can only be the same domain; the members of U can be extended to the entire Sen; and the members of LD can be any domain or Sen;
For example, I have domain A and domain B, and domain A tries to access the resources of domain B, so a common practice is to create a Global or Universal group in A, and then create a Local domain group in B, and use the group created by A as members of group B, then members of group A can access the resources of group B.
In order to test this theory�