NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Active Directory Nested Groups Explained

What you will learn:

Nesting groups in Active Directory (AD) allow for better control in managing access to resources in the AD network. Group nesting also makes it easier to assign permissions across multiple domains and greatly reduces the hassle for IT administrators. However, the process of nesting groups can quickly get confusing owing to the various types of groups in AD and their scope. So, in this article, we will learn what group nesting is, the types of groups and their scope of nesting, how you can nest a group, and the best practices for group nesting to avoid confusion and hassle.

What is group nesting?

AD group nesting, simply put, is the process of putting one group inside another group. Nested groups inherit the permissions and privileges of the group they are put under, and hence this makes privilege administration easier. However, not all groups can be nested within other groups, and this depends on the types of groups in AD, and their scope of nesting.

Types of groups based on their scope

There are three types of groups in AD based on their scope, which are as follows:

  • Domain local groups: Domain local groups are the groups where permissions are assigned. This is because these groups have the highest scope in terms of who can be members of this group. Any group or account from any domain or trusted domain (Except domain local groups from other trusted domains) can be a part of this group.
  • Global groups: These groups can contain accounts and other global groups from the same domain. These groups are used to collect and group multiple objects from the same domain, and these groups can then be placed inside domain local groups.
  • Universal groups: Universal groups come in handy when you want to group objects from different domains in the same forest. This way, you can assign privileges to objects that span multiple domains at once without having to assign the same privileges each time on every domain.

The following table contains the various groups and their scopes

Group typeMembers who can be part of this groupThis group can be a member of
Universal groupsAccounts, global groups, and other universal groups from any domain within the same forestOther universal groups in the same forestDomain local groups or local groups on computers in the same forest or trusting forests
Global groupsAccounts and other global groups from the same domainUniversal groups from any domain in the same forestOther global groups from the same domainDomain local groups from any domain in the same forest or any trusted domain
Domain local groupsAccounts and global groups, from any domain in the same forest or any trusted domainsUniversal groups from any domain in the same forestOther Domain Local groups from the same domainOther domain local groups from the same domainLocal groups on computers in the same domain (except built-in groups that have well-known SIDs)
Nesting groups in Active Directory

How to create nested groups in AD

Nesting groups in AD follow the same process as adding member objects to a group. Here’s how you can nest a group into another group:

  • Go to Start -> Administrative Tools, and click Active Directory Users and Computers.
  • Navigate to the group that you want to nest inside another group.
  • Right click on the group and click Properties.
  • In the pop-up window, click the Member Of tab.
  • Click Add to search for the group you want this group to reside in.
  • You can search for the group by typing out the name and then clicking Check Names
  • Click the group you want in the list that is shown, and then click OK.
  • Click OK again. Now, the Member Of window will show the selected group name under the list of objects this group is present in. Click OK.

The group has successfully been nested inside the desired parent group.

Creating a nested group in Active Directory
Creating a Nested Group

Nested groups best practices

There are two best-practice processes depending on the number of domains that are involved. The key difference is the involvement of universal groups.

Process 1:

If the users are part of the same domain, here’s how nested groups and permissions assignments are done:

  • Add the user accounts and computer accounts that you want inside global groups.
  • Add the global group to a domain local group.
  • Assign permissions to the domain local group.

Accounts -> Global groups -> Domain local groups -> Permission assignment

The user and computer accounts in the global group will thus inherit the permissions assigned to the domain local group.

Process 2:

If the users are part of multiple trusted domains or trusted forests, then you use make use of the universal groups in the process. Here’s how the process will now look like:

  • Add the user accounts and computer accounts that you want inside global groups.
  • Add the global group to a universal group.
  • Add the universal group to a domain local group.
  • Assign permissions to the domain local group.

Accounts -> Global groups -> Universal groups -> Domain local groups -> Permission assignment

The universal group ensures that users and computers from external trusted domains and forests can be a part of this nested group operation.

Tip to note: Always use the first process for nesting groups in AD unless you have user and computer accounts from external trusted domains or forests to keep things simpler. You can always modify the nested group created with the first process to include a universal group later down the line in case it becomes necessary.

Related posts
Active Directory Fundamentals

Active Directory Groups: An explanation

Active Directory Fundamentals

What is Azure Active Directory?

Active Directory Fundamentals

Active Directory Basics: Everything you need to know

Active Directory Fundamentals

DNS and Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *