Nesting Groups in Windows Server 2003

How to Nest Users and Groups for Permissions

When you investigate groups within Active Directory, you will see that you have many to choose from. The type and scope of group that you choose to create will depend on how that group can be used and where it can be used within the enterprise. Knowing how the Active Directory groups are designed by Microsoft will help you develop a solid group strategy for assigning permissions. In addition to knowing how to design your groups, there are some pitfalls with user and group nesting that you want to avoid, as these pitfalls create a very insecure environment.

Group types and scope

When you jump into the Active Directory Users and Computers interface to create some groups, you will immediately see that there are many options to choose from. As you can see from Figure 1, you need to select the group scope and type during the creation of a new group.

Figure 1: Active Directory groups require both scope and type to be configured

Understanding the specifics of these groups will help you design and determine which options to pick for the group that you are creating. For each group, you need to know what objects it can contain, as well as the overall purpose of the group.

For the group scope, you are determining where the group should be used within the Active Directory enterprise. Your group selection here determines a lot about how you want to use the group within the overall assignment of permissions. Before we discuss each group specifically, the overall picture of group and user nesting is designed to be as follows:

Users go into Global Groups, Global Groups go into Domain Local Groups, and Domain Local Groups are listed on the Access Control List (ACL) of the resource.

If Universal Groups are used, then the following nesting rules apply:

Users go into Global Groups, Global Groups go into Universal Groups, Universal Groups go into Domain Local Groups, and Domain Local Groups are listed on the Access Control...