In fact, there are four kinds of groups in Active Directory - builtin groups, domain local groups, global groups and universal groups. There are very precise rules regarding the membership and usage of these groups, but one commonality that all of these groups share is that they can be nested.
Most simply put, a nested group is a group that is a member of another group. For example, a group called Contract Employees could be made a member of another group called All Employees, and thus be nested. Group nesting can be beneficial in many circumstances, and with some best practices it can also be well managed.
 |
| Nested Groups in Active Directory |
Unfortunately, because Active Directory lacks a single point of control, it is very easy for multiple administrators to manage the same groups and inadvertently complicate group nesting to the point where it becomes generally unmanageable, in the sense that it an be very difficult to find out exactly who user, service and computer accounts are in fact members of a nested group.
In this blog, we will take a look at various aspects of nested groups and group nesting, including group membership and usage rules, and nesting best-practices, but most importantly how to correctly list/enumerate all the members of a nested Active Directory group.
0 comments:
Post a Comment