Windows security groups: To nest or not?

For administrators who work with Active Directory, there is an opinion on whether or not to nest global security groups. IT pro Rick Vanover explains the cons and limited pros of this practice.

There are few things more important than troubleshooting a permissions issue only to find that a nested global security group is the culprit. The nesting of global security groups can cause so many issues, especially when any deny permissions come into play. Take into account any group policy-based deny permissions, and the tracing effort can be quite cumbersome.

For Active Directory domains, do you allow nested global security groups? The troubleshooting aspect of group membership is made complicated at first glance in most tools. Many tools will report effective rights, but not necessarily that they are there because of a nested group, much less a group membership at all.

I would love to say that nesting group membership is prohibited, but there are occasional situations where it makes sense. My professional administration practice has limited nested group membership with a few guiding rules:

  1. Allow no more than one level of nested group membership.
  2. One security group can have no more than one “member of” value.
  3. The nested security group would not contain groups designated for deny permissions.
  4. The nested global security group is not a high-level privilege group.

These are basic situations, but may not address every use case for a valid use case for nesting a global security group. The guiding principle in these parameters is that it is kept to a minimum, does not increase the troubleshooting burden, and reduces the risk of accidental over-permission assignments. Limiting the use of nested groups also will help prevent issues related to token size problems.

One of the best use cases is the occasional situation where you need to add a computer account to a global security group; it becomes awkward if user accounts and computer accounts are intermixed in the same security group. Another use case is when the Built-In groups (from local computer systems) are being combined with domain user accounts as a way to separate them. Nesting can make sense in those situations as well as others that may arise in your specific configuration.

Do you use any level of nested security groups? If so, share how and when you use them below.