Active Directory groups make it much easier to manage access and assign permissions in a domain. You can add one AD group to others. These are called nested Active Directory groups. Nested groups are a convenient way to manage access in AD based on business roles.
However, when diagnosing permission issues, administrators may find that nested groups are the source of the problem. Most often, problems with nested groups arise when diagnosing denying access rules and Group Policies.
You won’t be able to view user membership in nested AD groups using the Active Directory Users and Computer snap-in (dsa.msc). In this article, we will show you how to find out which nested groups a user is a member of.
The screenshot below shows that the user is a member of two AD groups besides the standard Domain Users: CA_IT_dept and CA_Server_Admins. You don’t see if the user is a member of any nested group.
You can use the dsget tool on the domain controller to display the full list of groups that the user is a member of, taking into account nested groups (the -expand and -memberof parameters):
dsget user "CN=Jon Brion,OU=Users,OU=California,OU=USA,DC=test,DC=com" -expand -memberof
In this example, the user is a member of 6 AD groups.
If you use cmdlets from the PowerShell Active Directory module module to get data about group members or users, the following cmdlets also do not display information about nested groups.
Get-ADUser jbrion -properties memberof | select memberof -expandproperty memberof
Using the Get-ADGroupMember cmdlet with the –Recursive parameter, you can list all members of a group, including nested ones. But the results of such a command will contain only objects that have no child objects. There will be no information about nested groups among the output results.
To get information about nested user groups in PowerShell, you need to use the special extensible LDAP filter option LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941). This filter is used to find nested groups, searches for a match along the entire chain from the root (available starting from Windows Server 2003 SP2).
Let’s display all domain groups in which the user is a member without LDAP filter:
Get-ADGroup –LDAPFilter “(member= CN=Jon Brion,OU=Users,OU=California,OU=USA,DC=test,DC=com)”|ft –a
And then use the LDAP_MATCHING_RULE_IN_CHAIN rule.
Get-ADGroup –LDAPFilter “(member:1.2.840.113556.1.4.1941:= CN=Jon Brion,OU=Users,OU=California,OU=USA,DC=test,DC=com)”|ft –a
As you can see, the second command displayed all of the user’s groups in the domain, including the nested ones.
Similarly, you can determine if the user is a member of some security group. The first command will show only the direct members of the group:
Get-ADUser –LDAPFilter “(memberOf=CN=CA_Users,OU=Groups,OU=California,OU=USA,DC=test,DC=com)”|ft -a
Nobody has been added directly to the group. Now let’s try to display the members of this group through a nested group:
Get-ADUser –LDAPFilter "(memberOf:1.2.840.113556.1.4.1941:=CN=CA_Users,OU=Groups,OU=California,OU=USA,DC=test,DC=com)"|ft –a
Microsoft provides the following guidelines for using nested groups that can simplify AD management:
- It is not recommended to use more than one level of nesting of groups;
- One security group can be a member of only one parent group;
- Do not use nested groups if denying rights are implemented using these groups;
- The nested global security group must not have top-level privileges.