In Microsoft Windows NT–based networks, a type of group that exists only on the local computer on which it is created. On a Windows NT member server or workstation, local groups reside in the local security database on the computer. A local group created on a domain controller, however, exists on all domain controllers in the domain because domain controllers in the same domain share the same security database.
Local groups are used within an enterprise-level Windows NT network to provide users with permissions for accessing network resources and rights for performing system tasks. You generally create local groups for specific groups of resources on the network and assign these local groups suitable permissions on the resources. A collection of global user accounts can be made into a global group. Global groups are placed into local groups to give users access to resources on the network. This process is referred to as AGLP. Note that local groups can contain global user accounts and global groups from any trusted domain, but they cannot contain other local groups.
A Windows 2000–based network can have both local groups and domain local groups. Local groups are for computers running Windows 2000 that are not part of a domain, and they exist only within the local security database of the computer on which they were created. Local groups are used for granting users who are interactively logged on to a computer running Windows 2000 access to resources on that computer.
Local groups can contain only local user accounts from the same machine. Domain local groups, however, have a domain-wide scope and provide users with access to resources located anywhere in a domain. You create local groups on a stand-alone machine running Windows 2000 by using the tool Local Users and Groups, which is implemented as a snap-in for Microsoft Management Console (MMC).
You should use local groups only on stand-alone Windows 2000 servers and workstations that are not part of a domain.