Universal Group is one of three types of groups in Microsoft Windows 2000. Universal groups can include members from any domain and can be granted permissions for resources in any domain in the current forest. They can contain user accounts, global groups, and universal groups from any domain in the current forest. They cannot contain domain local groups. Like global groups, all trusted domains have access to universal groups in order to grant them permission to access resources on the network.
You can create universal groups only when the domain is running in native mode, not when it is in mixed mode. In other words, you cannot use universal groups in a network that has a mixture of Windows 2000 and Microsoft Windows NT domain controllers. You can use them only in a network whose domain controllers are running Windows 2000.
You can use global groups nested inside universal groups to dramatically reduce network traffic due to global catalog replication in a Windows 2000–based network. Use universal groups only when their membership changes infrequently, since excessive replication traffic can occur in a domain tree if their membership changes frequently.
You can also use universal groups to grant users access to resources that are located in multiple domains. Simply add global groups from each domain to a universal group and assign permissions for the resource to the universal group. This use of universal groups is similar to that of domain local groups, except that you can use domain local groups only to assign permissions for resources in a single domain.