I frequently get asked which group type can be member of which group. For this reason I decided to explain the nesting of AD groups in this article with the help of some graphical illustrations. The topic gets even more interesting in relation to universal groups and multi-domain group memberships, e.g. in the scenario trusted domain of the same forest or trusted domain of another forest.
Notes on the graphics:
To illustrate the nesting of groups in a better way, the graphics only show the connections (group memberships) for one type of group. At the end of this article there is a diagram which combines the different types of groups and their connections. Furthermore, I designed the connectors with different colours as follows:
- User = dark blue
- Domain Local Groups = orange
- Global Groups = green
- Universal Groups = light blue
Nesting of Domain Local Groups
To begin with, a domain local group can be a member of another (domain local) group within the same domain. In addition, local users and computers can also be members of this group. This can look like in the illustration below:
Now, there is the option to nest a local group with users or computers of other domains by using a trusted domain of the same forest.
As you can see on this graphic, users (or computers) from Domain A can become members of one or more domain local groups of Domain B. Of course, this also works the other way around: users in Domain B can become members of domain local groups of Domain A. The same facts are valid for a trusted domain of another forest.
Nesting of Global Groups
However, there are slight differences with global groups. Within a domain users can become members of a global group. Global groups can become members of other global groups in the same domain. Additionally, a global group of a domain can become a member of one or more domain local groups of the same domain.
Next, global groups offer the possibility of nesting users, computers or even domain local groups via a trusted domain of the same forest.
As shown in the graphic above, users (and computers) of Domain A can become members of the global group in Domain B. Additionally, a global group of Domain A can become member of one or more domain local groups of Domain B. The same is valid from Domain B to Domain A. These rules are valid for all relevant groups on a trusted Domain of another forest.
Nesting of Universal Groups
Universal groups offer the advantage that almost every user can become a member of this group. Users of the same domain can become members of one or more universal groups as well as members of one or more global groups. Universal Groups can also be members of one or more universal groups within the same domain.
There is an option to nest universal groups via a trusted Domain of the same forest with users, computers, domain local groups or global groups.
The illustration above shows that users (also computers) of Domain A can become members of one or more universal groups of Domain B. The same is valid for users of Domain B becoming members of universal groups of Domain A. Aditionally, global groups of Domain A can become group members of one or more universal groups of Domain B. Of course, these rules also apply for Domain B to Domain A. Note that it is NOT applicable to a trusted Domain of another forest.
Summary of nested group options
So far, we looked at all group types individually. Below I will show you the combined picture of all groups.
Nesting groups within the same domain:
In a scenario with a trusted domain of the same forest the connections are as follows.
Nesting groups in two different domains:
A valuable source for this analysis was the FAQ article Group Nesting in Windows Domain.