Nesting groups

Using nesting, you can add a group as a member of another group. You can nest groups to consolidate group management by increasing the affected member accounts and to reduce replication traffic caused by replication of group membership changes.

Your nesting options depend on whether the domain is in native mode or mixed-mode. Groups in native-mode domains or distribution groups in mixed-mode domains have their membership determined as follows:

• Groups with universal scope can have as their members: accounts, computer accounts, other groups with universal scope, and groups with global scope from any domain.
• Groups with global scope can have as their members: accounts from the same domain and other groups with global scope from the same domain.
• Groups with domain local scope can have as their members: accounts, groups with universal scope, and groups with global scope, all from any domain. They can also have as members other groups with domain local scope from within the same domain.

Security groups in a mixed-mode domain are restricted to the following types of membership:

• Groups with global scope can have as their members only accounts.
• Groups with domain local scope can have as their members other groups with global scope and accounts.

Security groups with universal scope cannot be created in mixed-mode domains because universal scope is supported only in Windows 2000 native-mode domains.