Ping a Specific Port

Question

JoshRivers

Asked: 2011-10-15 07:26:09 +0800 CST2011-10-15 07:26:09 +0800 CST 2011-10-15 07:26:09 +0800 CST

Active Directory Nested Security Group

772

Can you nest Security Groups in active directory?

Are there limitations to the nesting?

Which versions of Windows Server/Active Directory support the nesting?

3 Answers

Voted

HostBits · Answer 1 · 2011-10-15T07:35:45+08:00

Best Answer

HostBits

2011-10-15T07:35:45+08:002011-10-15T07:35:45+08:00

Yes, AD supports group nesting in domains operating in windows 2000 native mode and higher. The limitations are based on the type of group you have.

There are three types:

Global
Domain Local
Universal

Global Groups can only contain accounts and other global groups from the domain the group resides in. They can be used in any domain within the AD forest (or trusted domains).

Domain Local groups can contain global/ Universal groups, computer objects, and accounts from any domain in the Forest (or trusted domains). The can only be used in the domain the group resides in.

Universal Groups can contain global/ Universal groups, computer objects, and accounts from any domain within the AD forest (or trusted domains). They can be used in any domain within the AD forest (or trusted domain).

Global Catalog severs will cache the members of Universal Groups.

8

Shane Madden · Answer 2 · 2011-10-15T07:40:14+08:00

Shane Madden

2011-10-15T07:40:14+08:002011-10-15T07:40:14+08:00

Short version: Yes.

Long version: Yes, but...

Nesting can be limited by the scopes of the groups in play; domain local, global, and universal.

A universal group can be a member of a universal group or a domain local group
A global group can be a member of any type of group - if it's another global, it must be from the same domain
A domain local group can be a member only of other domain local groups in the same domain

See here for more info on group scope here.

Additionally, be careful of badly behaved applications - some applications which read group membership from raw ldap based only on the members attribute of the group or the memberOf attribute of the user will miss the nested memberships.

Also, keep in mind that each group that a user is a member of will add to the size of their kerberos ticket if the group's in security mode. With too much nesting, beware of hitting the ticket size limit.

5

joeqwerty · Answer 3 · 2011-10-15T07:38:29+08:00

joeqwerty

2011-10-15T07:38:29+08:002011-10-15T07:38:29+08:00

Yes you can. Here are a few helpful articles:

http://technet.microsoft.com/en-us/library/cc783634(WS.10).aspx http://technet.microsoft.com/en-us/library/cc737585(WS.10).aspx

And you can find some scripts enabling to draw/graph nested groups here :

https://gallery.technet.microsoft.com/scriptcenter/Graph-Nested-AD-Security-eaa01644

1

Active Directory Nested Security Group

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?