Solved

Nested Security groups not working in AD

Posted on 2004-08-25
3
680 Views
Last Modified: 2013-12-04
I am trying to nest one security group into another so I do not have to add each user manually again to the new group, which from my understanding is supported and actually recommended.  

The project I am doing this for is to give our users a custom desktop depending on which group they are in.  When I add the group to the custom desktop group, the users are not getting the icons in other words they are not showing as though they are in the group.  I tested this by removing the nested group and placing my user in the top group and then the icons show up.

Any ideas on why the nested groups would not work, I can't find anything in google or MS site (big surprise).  I am in a windows 2003 native mode AD environment.

thanks
0
Comment
Question by:Brian Marquardt
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
WerewolfTA earned 75 total points
ID: 11913795
Are you perhaps confusing security groups with OU's?  OU's can be nested.  Security groups must have members explicitly added to them.  Group Policies are assigned to OU's.  Security Groups are more for doing things like applying NTFS/Share permissions to a group instead of a bunch of individual users.  

Security Groups are for security, not GPO distribution.  It's the location of the users within the OUs that determines which group policies they get (in this case, desktop settings), not the location of the security groups.  Because a user can only be in one OU, there's a direct logical line between the OU they're in and the domain policies so it's very clear which policies will apply and in what order from which OU's the user's OU is nested in.  On the other hand, a user could be in a bunch of security groups and depending on the location of those groups, could be getting conflicting GPO's applying at essentially the same level (5 down from the domain or whatever) creating a deadlock as to which should apply, so security group membership doesn't determine GPO's received.

If you're wanting a set of users to get certain desktop settings, your best bet would be to place them all in the same OU.  If that's not possible, such as you have HR and Finance users that have very distinct and different GPO requirements, make a GPO that just incorporates the desktop settings and apply to their respective OU's or a sub-OU if it should only affect a subset of each department and move the appropriate users/computers in there.  For all individual GPO's, you should disable either the Computer or User settings if none are being used in that GPO to speed processing.
0
 

Author Comment

by:Brian Marquardt
ID: 11956179
Nope,

I have a security group (per office) with users from that office in the group.  I also have a custom desktop security group in which users have to be a part of to get the desktop.  I was just trying to add the different branch groups instead off adding each individual user into the custom desktop group.  It seemed to be working sporatically, but we have figured it out to be that the users that it was not working for were taken out of that group and it was not replicated by the time I looked at it.

To many people working on the same problem

thanks for the response
0
 

Author Comment

by:Brian Marquardt
ID: 12444664
Good reason why people should use a change control log, if they would have put that in our log this would not have been an issue

Ticket Closed
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
suspending the anti virus 6 129
Current IT security breaches/attacks in banking 2 109
Move Event Log in windows 2012 3 97
Disable SSLv3.0/TLSv1.0 - Windows 2012R2 3 35
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question