Nested Groups: Adding Windows Domain Groups to Windows Local Groups
This functionality is known as
nested groups and was first added to
All MS Windows products since the release of Windows NT 3.10 support the use of nested groups.
Many Windows network administrators depend on this capability because it greatly simplifies security
The nested group architecture was designed with the premise that day-to-day user and group membership
management should be performed on the domain security database. The application of group security
should be implemented on domain member servers using only local groups. On the domain member server,
all file system security controls are then limited to use of the local groups, which will contain
domain global groups and domain global users.
You may ask, What are the benefits of this arrangement? The answer is obvious to those who have plumbed
the dark depths of Windows networking architecture. Consider for a moment a server on which are stored
200,000 files, each with individual domain user and domain group settings. The company that owns the
file server is bought by another company, resulting in the server being moved to another location, and then
it is made a member of a different domain. Who would you think now owns all the files and directories?
Answer: Account Unknown.
Unraveling the file ownership mess is an unenviable administrative task that can be avoided simply
by using local groups to control all file and directory access control. In this case, only the members
of the local groups will have been lost. The files and directories in the storage subsystem will still
be owned by the local groups. The same goes for all ACLs on them. It is administratively much simpler
to delete the
Account Unknown membership entries inside local groups with appropriate
entries for domain global groups in the new domain that the server has been made a member of.
Another prominent example of the use of nested groups involves implementation of administrative privileges
on domain member workstations and servers. Administrative privileges are given to all members of the
built-in local group
Administrators on each domain member machine. To ensure that all domain
administrators have full rights on the member server or workstation, on joining the domain, the
Domain Admins group is added to the local Administrators group. Thus everyone who is
logged into the domain as a member of the Domain Admins group is also granted local administrative
privileges on each domain member.
UNIX/Linux has no concept of support for nested groups, and thus Samba has for a long time not supported
them either. The problem is that you would have to enter UNIX groups as auxiliary members of a group in
/etc/group. This does not work because it was not a design requirement at the time
the UNIX file system security model was implemented. Since Samba-2.2, the winbind daemon can provide
/etc/group entries on demand by obtaining user and group information from the domain
controller that the Samba server is a member of.
In effect, Samba supplements the
/etc/group data via the dynamic
mechanism. Beginning with Samba-3.0.3, this facility is used to provide
local groups in the same manner as Windows does it. It works by expanding the local groups on the
fly as they are accessed. For example, the
Domain Users group of the domain is made
a member of the local group
demo. Whenever Samba needs to resolve membership of the
demo local (alias) group, winbind asks the domain controller for demo members of the Domain Users
group. By definition, it can only contain user objects, which can then be faked to be member of the
To enable the use of nested groups,
must be used with NSS winbind.
Creation and administration of the local groups is done best via the Windows Domain User Manager or its
Samba equivalent, the utility
net rpc group
. Creating the local group
demo is achieved by executing:
root# net rpc group add demo -L -Uroot%not24get
Here the -L switch means that you want to create a local group. It may be necessary to add -S and -U
switches for accessing the correct host with appropriate user or root privileges. Adding and removing
group members can be done via the
delmem subcommands of
net rpc group
command. For example, addition of “DOM\Domain Users” to the
demo is done by executing:
net rpc group addmem demo "DOM\Domain Users"
Having completed these two steps, the execution of
getent group demo
will show demo
members of the global
Domain Users group as members of the group
demo. This also works with any local or domain user. In case the domain DOM trusts
another domain, it is also possible to add global users and groups of the trusted domain as members of
demo. The users from the foreign domain who are members of the group that has been
added to the
demo group now have the same local access permissions as local domain