Group Nesting Reference Chart
The Active Directory Groups Nesting restrictions is an often-discussed topic among my peers especially in a multi-domain forest and often a question raised in forums and mailing lists. Although there have been some great blogs written that dive deep into the technical restrictions, I personally needed a simple reference chart that I could refer to and which serves me as a memory refresher. Between the two types of Active Directory Groups, Security and Distributions, there are restrictions in both but this attempted reference chart covers only Security type. There are three scopes of Security Groups. Domain Local, Global, and Universal. A leading practice for each of these scopes for NTFS permissions is as follows. Domain Local Groups are used for permissions (ACLs), Users are populated in Global Groups, and Universal Groups are used to manage Global Groups. But often times there are needs to circumvent this model and cross nesting is required especially in a multi-domain forest or in a large environment with multiple forests. The nesting restrictions of each group that you must know about can be broken into three questions and subsequent charts below :
Please note that these nesting restrictions assume Window 2000 native or Windows Server 2003 DFL.
1. Which particular group will take other scope type (nested) as its member i.e from the same domain and from a trusted domain ?
Chart 1 for Question # 1
| Same Domain | Can accept Domain Local | Can accept Global Group | Can accept Universal Group |
| Domain Local | Yes | Yes | Yes |
| Global Group | No | Yes | No |
| Universal Group | No | Yes | Yes |
Chart 2 for Question # 1
| Trusted Domain | Can accept Domain Local | Can accept Global Group | Can accept Universal Group |
| Domain Local | No | Yes | Yes |
| Global Group | No | No | No |
| Universal Group | No | Yes | Yes |
2. Where can a particular group be assigned permissions (ACL) i.e only in the domain where it resides and also cross domains ? (trusted or other child domains within the same forest )
All three scope types can be used to assign permissions in the same domain where the groups reside.
Chart 1 for Question # 2
| Trusted Domain | Can be used to assign permissions |
| Domain Local | No |
| Global Group | Yes |
| Universal Group | Yes |
3. Which group will accept users and computers from same and trusted domain ?
All three scope types will accept Users and Workstation from the same domain where they reside.
Chart 1 for Question # 3
| Trusted Domain | Will accept Users and Workstations |
| Domain Local | Yes |
| Global Group | No |
| Universal Group | Yes |
More information on the scope of these groups can be found here:
http://technet.microsoft.com/en-us/library/cc755692.aspx
To learn about a leading access control model known as AGDLP see :
http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1255549,00.html
Shariq,
All the concepts about Groups are so much easier to understand with this post.
Thanks for share with us.
[]`s
Hi Shariq,
Thanks for sharing your insightful thoughts and suggestions on group nesting – very helpful, and appreciated indeed.
On a related note, we needed a quick and efficient way to enumerate nested security groups for security audits (i.e. find out which groups were nested in other groups.) So we asked our on-site MS consultant and he recommended using the Gold Finger from Paramount Defenses Inc.
Gold Finger pleasantly surprised us because not only was it endorsed by Microsoft but also 100% FREE and loaded with almost 250 useful Active Directory security, Exchange and ACL management reports. BTW, you can download it for free from http://goldfinger.paramountdefenses.com
Thought I’d share this with you incase it could help you too, especially if you have like on-demand reporting.
Thanks again, and looking forward to your next post.
Best wishes,
Jonathan