One nice benefit of Active Directory (AD) over Windows NT is that AD supports complex group nesting. Nested groups give you flexibility in designing your group structure and applying ACLs to resources. This feature becomes available as soon as you raise an AD domain to the Windows Server 2003 functional level or the Windows 2000 native domain mode.
Nested groups are powerful, but they also add complexity. Because some group members might be groups themselves, you often can't simply look at the members of a group and determine which users will be affected by granting the group access to a resource. The Microsoft Management Console (MMC) Active Directory Users and Computers snap-in doesn't provide much help because it displays only the users that are direct members of a group. You have to double-click each member group to view its membership individually. But a simple script can take the legwork out of drilling down through nested-group membership.
Group Attributes
To illustrate group nesting, consider a group structure that mimics the hierarchy of a university's Computer Science department. Each class in the department is a group consisting of the students who have signed up for the class. Together, all the departmental class groups make up the Computer Science department group. Finally, the Computer Science department group is a member of the Engineering school group. This nested group structure provides the flexibility to grant access to resources to as broad an audience as everyone in the Engineering school or to as limited an audience as only the students in a particular Computer Science class. . . .
Register
