Solved

Nested Security groups not working in AD

Posted on 2004-08-25
3
675 Views
Last Modified: 2013-12-04
I am trying to nest one security group into another so I do not have to add each user manually again to the new group, which from my understanding is supported and actually recommended.  

The project I am doing this for is to give our users a custom desktop depending on which group they are in.  When I add the group to the custom desktop group, the users are not getting the icons in other words they are not showing as though they are in the group.  I tested this by removing the nested group and placing my user in the top group and then the icons show up.

Any ideas on why the nested groups would not work, I can't find anything in google or MS site (big surprise).  I am in a windows 2003 native mode AD environment.

thanks
0
Comment
Question by:Brian Marquardt
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
WerewolfTA earned 75 total points
ID: 11913795
Are you perhaps confusing security groups with OU's?  OU's can be nested.  Security groups must have members explicitly added to them.  Group Policies are assigned to OU's.  Security Groups are more for doing things like applying NTFS/Share permissions to a group instead of a bunch of individual users.  

Security Groups are for security, not GPO distribution.  It's the location of the users within the OUs that determines which group policies they get (in this case, desktop settings), not the location of the security groups.  Because a user can only be in one OU, there's a direct logical line between the OU they're in and the domain policies so it's very clear which policies will apply and in what order from which OU's the user's OU is nested in.  On the other hand, a user could be in a bunch of security groups and depending on the location of those groups, could be getting conflicting GPO's applying at essentially the same level (5 down from the domain or whatever) creating a deadlock as to which should apply, so security group membership doesn't determine GPO's received.

If you're wanting a set of users to get certain desktop settings, your best bet would be to place them all in the same OU.  If that's not possible, such as you have HR and Finance users that have very distinct and different GPO requirements, make a GPO that just incorporates the desktop settings and apply to their respective OU's or a sub-OU if it should only affect a subset of each department and move the appropriate users/computers in there.  For all individual GPO's, you should disable either the Computer or User settings if none are being used in that GPO to speed processing.
0
 

Author Comment

by:Brian Marquardt
ID: 11956179
Nope,

I have a security group (per office) with users from that office in the group.  I also have a custom desktop security group in which users have to be a part of to get the desktop.  I was just trying to add the different branch groups instead off adding each individual user into the custom desktop group.  It seemed to be working sporatically, but we have figured it out to be that the users that it was not working for were taken out of that group and it was not replicated by the time I looked at it.

To many people working on the same problem

thanks for the response
0
 

Author Comment

by:Brian Marquardt
ID: 12444664
Good reason why people should use a change control log, if they would have put that in our log this would not have been an issue

Ticket Closed
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now