We help IT Professionals succeed at work.

Active Directory Groups, set up with Double Groups.

CobraCats
CobraCats asked
on
I have recently taken over as admin for a company.  One of my first tasks has been to clean up the active directory, I have user accounts that haven't been disabled, groups and users in lots of OU's for no reason.  Frankly it is just messy.  One of the things that has me stumbed is the double groups. For example I have  "Real Estate Global" group with users and a "Real Estate" group with the only member is the "real estate Global" group; and there is a " Reception Global" group with users and a "Reception" group with only the "Reception Global" as a member.  There are a few of these:
From what I can see there are no GPO or security settings for this, why would it be set this way?
Comment
Watch Question

Maybe they are following that old MS best practices of creating a domain local group and then cramming global groups inside of the domain local group.

They used to practice that back in the day.
> "They used to practice that back in the day."

And still do, in environments that contain multiple domains within a single forest or across trust relationships.  It's a matter of group scope, where certain types of groups can only contain users from or grant permissions to resources within the same domain.

If you're in a single-domain environment (you haven't specified), make everything a global group and be done with it.  If someone did AGUDLP group nesting in a single-domain environment, they were following MCSE exam-guide memorization bullet points without understanding how they do (and do not) apply in real-world scenarios.
Yes.  I suppose I was mainly feeling what you mentioned in your second paragraph.  Someone was studying for an exam and set it up (assuming single domain).

Explore More ContentExplore courses, solutions, and other research materials related to this topic.