Saturday, September 8, 2012

Max number of nesting forests in cross-forest membership in AD groups

Some time ago we needed to determine what is the maximum number of nesting forests in cross-forest AD groups membership. There are 3 types of AD group scopes:

  • Universal
  • Global
  • Domain local

Group scope determines what members group may have and to what domains in the forest/tree you may assign permissions to this group. In the following technet article there is a summary table which describes possible members for each group scope, target domains where you can set permissions and to what group scope each of them can be converted:

Group scope Group can include as members…

Group can be assigned permissions in…

Group scope can be converted to…
Universal

Accounts from any domain within the forest in which this Universal Group resides

Global groups from any domain within the forest in which this Universal Group resides

Universal groups from any domain within the forest in which this Universal Group resides

Any domain or forest

Domain local

Global (as long as no other universal groups exist as members)

Global

Accounts from the same domain as the parent global group

Global groups from the same domain as the parent global group

Member permissions can be assigned in any domain Universal (as long as it is not a member of any other global groups)
Domain local

Accounts from any domain

Global groups from any domain

Universal groups from any domain

Domain local groups but only from the same domain as the parent domain local group

Member permissions can be assigned only within the same domain as the parent domain local group Universal (as long as no other domain local groups exist as members)

Based on this table we may make interesting conclusion: cross-forest membership is possible for one level of nesting only (one hop). Only Domain local groups may have members from another forest: user accounts, Global and Universal groups, but not Domain local groups. Domain local groups may have as members another Domain local groups only if these child groups are from the same domain as parent group. At the same time Global and Universal groups may have members only from their own domain/forest. So maximum number of different nesting forests in cross-forest membership is 1. You may add groups from many forests into Domain local group, but nesting level is not greater than 1. Probably MS did it consciously in order to limit the complexity of maintenance and avoid circular dependency problems (e.g. if it would be possible to add into Domain local group from forest A as members Domain local groups from forest B then there will be possible that groups have each other as a member). This information may be useful if you work with multi-forest environments and need to plan security membership.

No comments:

Post a Comment