2.4.3 Nested Groups

Windows supports the concept of nesting groups, or adding groups to other groups. Nesting groups can help reduce the number of permissions that need to be individually assigned to users or groups.

The process of creating groups across domains involves the following steps:

  1. The administrator in each domain creates global groups and adds user accounts that have the same resource requirements to the global groups.

  2. A domain administrator creates a domain local group for each resource that exists within a domain, such as file shares or printers, and then adds the appropriate global groups from each domain to this domain local group.

  3. A domain administrator assigns the appropriate permissions for the resources to the domain local group. Users in each global group receive the required permissions because their global group is a member of the domain local group.

Effectively nesting groups in a multidomain environment reduces network traffic between domains and simplifies administration in a domain tree. A domain tree is a collection of domains that are grouped together in hierarchical structures so that they can be administered as single logical unit.

When a domain is added to the domain tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain. A child domain can contain its own child domain. The name of a child domain is combined with the name of its parent to form its own unique DNS name such as Corp.mycompany.msft. In this manner, a tree has a contiguous namespace.

The extent to which nesting can be used in a specific organization depends on which mode the DC was configured in the system. Domain controllers can be configured in two modes: mixed mode or native mode.

  • Mixed mode: A DC that is configured to support a mixed environment where Windows NT 4.0 operating system, Windows 2000 operating system, and Windows Server 2003 operating system domain controllers are in the same domain.

  • Native mode: A DC that is configured such that Windows NT 4.0-style domains are not supported.

In mixed mode, only one type of nesting is available; global groups can be members of domain local groups. Universal groups do not exist in mixed mode. In native mode, multiple levels of nesting are available. The nesting rules for group memberships for Windows 2000 are summarized in the following table.

Group scope

Can contain

Can be a member of

Domain local group

User accounts and universal and global groups from any trusted domain.

Domain local groups from the same domain.

Domain local groups in the same domain.

Global group

User accounts and global groups from the same domain.

Universal and domain local groups in any domain.

Global groups in the same domain.

Universal group

User accounts and universal and global groups from any domain.

Universal or domain local groups in any domain.