Group Nesting - What You Need To Know To Pass

Group nesting is a really great feature that allows you to add groups within groups. In other words, groups can be members of other groups. The only thing to keep in mind is to use it wisely and limit the level of nesting as it can soon get out of hand and become difficult to keep track of. But let’s look at an example of where it may be useful.

Let’s say you have several domains within a forest and each domain has a group of executives. All the executives within each domain require access to different resources throughout the forest. What you can do is create an executives global group within each domain and add the appropriate users. Then create a universal group and add each executive global group to this universal group. When it comes time to assign all executives permission to a resource, it’s as simple as assigning permission to the universal group.

Now here comes the difficult part of group nesting. The nesting options are dependent on the domain functional level. In other words, if your domain is set to Windows 2000 mixed functional level, group nesting is available, but there are limitations.
In terms of group nesting, if the domain is running in Windows 2000 native functional level:

• Universal groups can contain accounts, computer accounts, other universal groups or global groups from any domain in the forest.
• Global groups can contain accounts and other global groups from within the same domain.
• Domain local groups can contain accounts, global groups from any domain in the forest, universal groups, and other domain local groups from within the same domain.

If the domain is set to Windows 2000 mixed functional level the following restrictions apply:

• Global groups cannot have other groups as members. They can only contain accounts.
• Domain local groups can only have global groups and accounts as members.
• Universal groups cannot be created because they are not supported in this functional level.

Make sure you are familiar with the nesting option available in the different domain modes. You are sure to run into at least one question dealing with group nesting when a domain is running in a particular mode.