1.1.1.4.2 Nested Groups

Article
10/26/2021

Windows supports the concept of nested groups, or the addition of groups to other groups. The use of nested groups can help reduce the number of permissions that are required to be individually assigned to users or groups.

The extent to which an organization uses nesting depends on which mode the domain controller was configured in the operating system. Domain controllers can be configured in two modes: mixed mode or native mode. For more information, see [MS-ADTS] section 6.1.4.1.

Mixed mode: A domain controller that is configured to support a mixed environment, meaning that the environment can contain DCs running on Windows NT 4.0 operating system as well as DCs running on Windows 2000 operating system, Windows Server 2003 operating system, and Windows Server 2003 R2 operating system.

Native mode: A domain controller that is not configured to support an environment that contains DCs running on Windows NT 4.0. When the domain is in native mode, domain local groups can also contain domain local groups from their own domain and universal groups from any trusted domain.

Unlike Windows NT operating system local groups, a domain local group can be granted permissions to resources on all servers (both the domain controllers and member servers) in its domain. When the domain is in mixed mode, domain local groups can contain user accounts and global groups from any trusted domain or forest.

In mixed mode, only one type of nesting is available; global groups can be members of domain local groups. Universal groups do not exist in mixed mode. In native mode, multiple levels of nesting are available. The nesting rules for group membership are summarized in the following table.

Group scope	Contains	Can be a member of
Domain local group	User accounts and universal and global groups from any trusted domain. Domain local groups from the same domain.	Domain local groups in the same domain.
Global group	User accounts and global groups from the same domain.	Universal and domain local groups in any domain. Global groups in the same domain.
Universal group	User accounts and universal and global groups from any domain.	Universal or domain local groups in any domain.

Group scope

Contains

Can be a member of

Domain local group

User accounts and universal and global groups from any trusted domain.

Domain local groups from the same domain.

Domain local groups in the same domain.

Global group

User accounts and global groups from the same domain.

Universal and domain local groups in any domain.

Global groups in the same domain.

Universal group

User accounts and universal and global groups from any domain.

Universal or domain local groups in any domain.

1.1.1.4.2 Nested Groups

Additional resources