I feel like this must be a faq but I've not been able to figure out the right terminology to find the answer.
I've got a large active directory group-of-groups that contains 101% of the users I would like to give access to a certain resource.
I'd like to somehow explicitly remove a few users from this group, but leave them in their original group (which is a member of the top-level group).
e.g.:
G1 = A,B,C
G2 = D,E,F
G3 = G1 + G2 - F = A,B,C,D,E
I think in some situations I could explicitly remove privileges like this via a group policy. That won't work in this case, I'm working with an Isilon NAS. It looks at group membership, nothing else.
The AD domain is managed by central IT; I believe it's running on windows 2012r2 now, but I'm not 100% sure of this.
I can't see any other solution than to create a seperate group with the users that need the access. That way you'll also have one group for one purpose which in my mind is how it should be done, as it gives far better transparency.