none
Active Directory nesting security groups

    Question

  • Hi,
    Can Windows/AD handle the following security group nesting strategy:

    Nest an AD security group into another AD security group, which will be nested into a local machine security group on a server. I have tried this and the permissions do not seem to be propagated?


    Summary:
    AD Security Group(Universal)>AD Security Group(Global)>Local Machine Secuity Group

    Wednesday, May 29, 2013 8:42 PM

Answers

  • See,

    Using Group Nesting Strategy - AD Best Practices for Group Strategy Blogged By Ace Fecay (DS-MVP)

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    • Marked as answer by 朱鸿文 Monday, June 3, 2013 6:03 AM
    Thursday, May 30, 2013 6:04 AM
  • Yes you can do this.

    You want to do it like this...

    Permission group applied to local group on computer:

    Domain Local Security Group

    Group for users

    Global Security Group

    So the group you add to the local group on the computer needs to be a domain local group, and your members should go into the global group, which you nest into the domain local group.

    A G D L P

    Accounts in global groups, global groups in domain local groups, domain local groups apply permissions


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Thursday, May 30, 2013 8:18 AM

All replies

  • See,

    Using Group Nesting Strategy - AD Best Practices for Group Strategy Blogged By Ace Fecay (DS-MVP)

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    • Marked as answer by 朱鸿文 Monday, June 3, 2013 6:03 AM
    Thursday, May 30, 2013 6:04 AM
  • Yes you can do this.

    You want to do it like this...

    Permission group applied to local group on computer:

    Domain Local Security Group

    Group for users

    Global Security Group

    So the group you add to the local group on the computer needs to be a domain local group, and your members should go into the global group, which you nest into the domain local group.

    A G D L P

    Accounts in global groups, global groups in domain local groups, domain local groups apply permissions


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Thursday, May 30, 2013 8:18 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Have a great day!

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

      
    Friday, May 31, 2013 1:56 AM