Group Nesting Reference Chart

09/11/2009

The Active Directory Groups Nesting restrictions is an often-discussed topic among my peers especially in a multi-domain forest and often a question raised in forums and mailing lists. Although there have been some great blogs written that dive deep into the technical restrictions, I personally needed a simple reference chart that I could refer to and which serves me as a memory refresher. Between the two types of Active Directory Groups, Security and Distributions, there are restrictions in both but this attempted reference chart covers only Security type. There are three scopes of Security Groups. Domain Local, Global, and Universal. A leading practice for each of these scopes for NTFS permissions is as follows. Domain Local Groups are used for permissions (ACLs), Users are populated in Global Groups, and Universal Groups are used to manage Global Groups. But often times there are needs to circumvent this model and cross nesting is required especially in a multi-domain forest or in a large environment with multiple forests. The nesting restrictions of each group that you must know about can be broken into three questions and subsequent charts below :

Please note that these nesting restrictions assume Window 2000 native or Windows Server 2003 DFL.

1. Which particular group will take other scope type (nested) as its member i.e from the same domain and from a trusted domain ?

Chart 1 for Question # 1

Same Domain Can accept Domain Local Can accept Global Group Can accept Universal Group
Domain Local Yes Yes Yes
Global Group No Yes No
Universal Group No Yes Yes

Chart 2 for Question # 1

Trusted Domain Can accept Domain Local Can accept Global Group Can accept Universal Group
Domain Local No Yes Yes
Global Group No No No
Universal Group No Yes Yes

2. Where can a particular group be assigned permissions (ACL) i.e only in the domain where it resides and also cross domains ? (trusted or other child domains within the same forest )

All three scope types can be used to assign permissions in the same domain where the groups reside.

Chart 1 for Question # 2

Trusted Domain Can be used to assign permissions
Domain Local No
Global Group Yes
Universal Group Yes

3. Which group will accept users and computers from same and trusted domain ?

All three scope types will accept Users and Workstation from the same domain where they reside.

Chart 1 for Question # 3

Trusted Domain Will accept Users and Workstations
Domain Local Yes
Global Group No
Universal Group Yes

More information on the scope of these groups can be found here:

http://technet.microsoft.com/en-us/library/cc755692.aspx

To learn about a leading access control model known as AGDLP see :

http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1255549,00.html

  • Share/Bookmark

There are 2 comments in this article:

  1. 14/09/2009Thiago Pereira say:

    Shariq,

    All the concepts about Groups are so much easier to understand with this post.

    Thanks for share with us.

    []`s

  2. 28/10/2009Jonathan Craiig say:

    Hi Shariq,

    Thanks for sharing your insightful thoughts and suggestions on group nesting – very helpful, and appreciated indeed.

    On a related note, we needed a quick and efficient way to enumerate nested security groups for security audits (i.e. find out which groups were nested in other groups.) So we asked our on-site MS consultant and he recommended using the Gold Finger from Paramount Defenses Inc.

    Gold Finger pleasantly surprised us because not only was it endorsed by Microsoft but also 100% FREE and loaded with almost 250 useful Active Directory security, Exchange and ACL management reports. BTW, you can download it for free from http://goldfinger.paramountdefenses.com

    Thought I’d share this with you incase it could help you too, especially if you have like on-demand reporting.

    Thanks again, and looking forward to your next post.

    Best wishes,
    Jonathan

Write a comment: