[Webinar] Streamline your web hosting managementRegister Today


Active Directory Groups, set up with Double Groups.

Posted on 2008-01-28
Medium Priority
Last Modified: 2010-03-17
I have recently taken over as admin for a company.  One of my first tasks has been to clean up the active directory, I have user accounts that haven't been disabled, groups and users in lots of OU's for no reason.  Frankly it is just messy.  One of the things that has me stumbed is the double groups. For example I have  "Real Estate Global" group with users and a "Real Estate" group with the only member is the "real estate Global" group; and there is a " Reception Global" group with users and a "Reception" group with only the "Reception Global" as a member.  There are a few of these:
From what I can see there are no GPO or security settings for this, why would it be set this way?
Question by:CobraCats
  • 2
LVL 11

Assisted Solution

PlaceboC6 earned 135 total points
ID: 20762658
Maybe they are following that old MS best practices of creating a domain local group and then cramming global groups inside of the domain local group.

They used to practice that back in the day.
LVL 30

Accepted Solution

LauraEHunterMVP earned 240 total points
ID: 20762814
> "They used to practice that back in the day."

And still do, in environments that contain multiple domains within a single forest or across trust relationships.  It's a matter of group scope, where certain types of groups can only contain users from or grant permissions to resources within the same domain.

If you're in a single-domain environment (you haven't specified), make everything a global group and be done with it.  If someone did AGUDLP group nesting in a single-domain environment, they were following MCSE exam-guide memorization bullet points without understanding how they do (and do not) apply in real-world scenarios.
LVL 11

Expert Comment

ID: 20762835
Yes.  I suppose I was mainly feeling what you mentioned in your second paragraph.  Someone was studying for an exam and set it up (assuming single domain).

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question