Nesting of local groups is not supported on workstations or member servers

  • Article

Applies To: Windows 7

This article applies to the following operating systems:

  • Microsoft Windows®°2000 Server

  • Windows®°XP Home Edition

  • Windows®°XP Professional

  • Windows Server®°2003

  • Windows Server® 2008

  • Windows Vista®

Symptoms

When you attempt to add a local group (for example Localgroup1) to the group membership of another local group (for example Localgroup2) on the same client via the Computer Management snap-in, you get the following error when you click on Check Names: “An Object named ‘Localgroup1’ cannot be found. Check the selected object types and location for accuracy and ensure that you typed the object name correctly, or remove this object from the selection.” This error message occurs even though each of the individual local groups in the error message may exist on the machine.

Cause

This is the expected behavior of the Computer Management snap-in.

More information

On a Windows client, you can add user accounts from the local computer to local groups. Additionally, if the client participates in a domain, you can add user accounts and global groups from that domain and from trusted domains. The above can be accomplished by using the Local Users section in the Computer Management snap-in or via the legacy command line tool, net.exe. A user who belongs to a group has all the rights and permissions granted to that group. If a user is a member of more than one group, then the user has all the rights and permissions granted to every group that user belongs to.

Adding a local group to the membership of another local group on the same computer will result in nested local group membership. The Computer Management Interface detects the nested group membership addition for local group(s) and logs the error message described in the Symptoms section. Additionally, the command line tool net.exe permits creating a nested local group structure via the net localgroup syntax, the functionality of the nested group membership does not work. The user token only reflects the direct local group that the user is added to as a member. The token will not list the nested local group and the user can not access any resource which has been granted permission to the nested local group.

Example

UserA is a direct member of Localgroup1 and Localgroup2. UserA’s token at logon will include both Localgroup1 and Localgroup2. However if UserB is a member of Localgroup1 and then Localgroup1 is added to the membership of Localgroup2 via the net localgroup command, then UserB's token at logon will include Localgroup1 and not list the nested group of Localgroup2.