Nesting groups

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Nesting groups

Using nesting, you can add a group as a member of another group. You nest groups to consolidate member accounts and reduce replication traffic.

Nesting options depend on whether the domain functionality of your Windows Server 2003 domain is set to Windows 2000 native or Windows 2000 mixed.

By default, when you nest a group within another group, user rights are inherited. For example, if you make Group_1 a member of Group_2, users in Group_1 have the same permissions as the users in Group_2.

Groups in domains set to the Windows 2000 native functional level or distribution groups in domains set to the Windows 2000 mixed functional level can have the following members:

  • Groups with universal scope can have the following members: accounts, computer accounts, other groups with universal scope, and groups with global scope from any domain.

  • Groups with global scope can have the following members: accounts from the same domain and other groups with global scope from the same domain.

  • Groups with domain local scope can have the following members: accounts, groups with universal scope, and groups with global scope, all from any domain. This group can also have as members other groups with domain local scope from within the same domain.

Security groups in domains set to the Windows 2000 mixed functional level are restricted to the following types of membership:

  • Groups with global scope can have as their members only accounts.

  • Groups with domain local scope can have as their members other groups with global scope and accounts.

Security groups with universal scope cannot be created in domains with the domain functional level set to Windows 2000 mixed because universal scope is supported only in domains where the domain functional level is set to Windows 2000 native or Windows Server 2003.

Note

You cannot add the default groups that are located in the Builtin container as members to other groups. However, you can add other groups as members to the default groups that are located in the Builtin container.

For more information about domain functionality, see Domain and forest functionality.