Defining a Security Group Nesting Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Security group nesting occurs when one security group is made a member of another security group, and the nested group inherits all of the privileges and permissions that are granted to the parent.

Note

• A domain must be configured at the Windows 2000 native or Windows Server 2003 functional level in order for global groups to be nested within global groups or for domain local groups to be nested within domain local groups.

Unrestrained group nesting can result in access token size problems because the token contains the SIDs for each group of which the user is a member, either directly or indirectly. The default group membership limitation is 120 groups. For more information about issues related to group membership and access token size, see "Selecting Local Groups or Domain Local Groups as Resource Groups" earlier in this chapter. Additionally, if group nesting is not constrained by a nesting policy, it becomes difficult to know exactly which permissions might be inherited by members of a security group that is nested within another, or several other, security groups.

If your enterprise is organized according to the AG/RG model, you need to allow for some degree of nesting without allowing nested groups to proliferate. Design and follow an explicit nesting strategy so that nesting relationships among security groups are predefined and well understood. This helps to guard against including users in too many groups.

If you choose to apply a security group nesting policy in your organization, consider drafting specific guidelines for that policy and communicating them to all employees who have permission to add members to a group.