Windows security groups: To nest or not?

There are few things more important than troubleshooting a permissions issue only to find that a nested global security group is the culprit. The nesting of global security groups can cause so many issues, especially when any deny permissions come into play. Take into account any group policy-based deny permissions, and the tracing effort can be quite cumbersome.

For Active Directory domains, do you allow nested global security groups? The troubleshooting aspect of group membership is made complicated at first glance in most tools. Many tools will report effective rights, but not necessarily that they are there because of a nested group, much less a group membership at all.

I would love to say that nesting group membership is prohibited, but there are occasional situations where it makes sense.

Read the entire post at the Network Administrator blog on TechRepublic.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: