Active Directory

How to Get Nested Group Membership Report in Active Directory

Nested groups in Active Directory allow hierarchical permission management by placing one group inside another. However, deeply nested groups can make it difficult to identify all members and determine who truly has access to resources. This lack of visibility complicates permission auditing and can lead to direct security risks, such as unintended privilege escalation. Therefore, this guide explains how to find all nested group members in Active Directory to ensure accurate access control and stronger governance across your organization.

Identify Nested Group Members in Active Directory Using AUDC

Active Directory Permissions Required

Account Operator Least Privilege

Administrators Most Privilege

Open the Active Directory Users and Computers (ADUC) console, then click the Find icon on the toolbar.
In the ‘Find’ drop-down menu, select Custom Search. Then, in the 'In' field, choose the domain you want to search.
Navigate to the Advanced tab, enter the following LDAP query, and click Find Now to retrieve all groups with members.
```
(&(objectCategory=group)(member=*))
```
Next, locate the group you want to investigate, double-click it, and go to the Members tab.
Double-click each subgroup it contains, then go to the Members tab to view all members of a specific nested group.

Identify Nested Group Members in Active Directory Using AUDC

Handy Tip💡: Use the Member Of tab to view the parent group of a specific nested group.

Export All Nested Group Members Using Active Directory PowerShell

Active Directory Permissions Required

Account Operator Least Privilege

Administrators Most Privilege

While the above method can be used to find the membership details of a specific nested group, the process can be quite tedious. You have to manually go through each group to identify nested ones and then check every subgroup to view their members.
To make this easier, you can use PowerShell to quickly retrieve all nested group members in Active Directory at once without any additional steps.
First, ensure the Active Directory module is installed and imported in your environment.
Then, run the following cmdlet after replacing <OutputPath> with your desired file path to export all nested group membership details as a CSV file.

Windows PowerShell

 $AllGroups = Get-ADGroup -Filter *
$MemberGroups = $AllGroups | ForEach-Object {
    Get-ADGroupMember $_ -Recursive:$false | Where-Object { $_.objectClass -eq 'group' }
} | Select-Object -ExpandProperty SamAccountName -Unique
$TopGroups = $AllGroups | Where-Object { $MemberGroups -notcontains $_.SamAccountName }
function Get-NestedMembers {
    param($Group, $TopGroup, $Level = 1)
    Get-ADGroupMember $Group | ForEach-Object {
        [PSCustomObject]@{
             MemberName  = $_.Name
             MemberType  = $_.objectClass
             ParentGroup = $Group
             TopGroup    = $TopGroup
             NestedLevel = $Level
        }
        if ($_.objectClass -eq 'group') {
            Get-NestedMembers -Group $_.SamAccountName -TopGroup $TopGroup -Level ($Level + 1)
        }}}
   $Result = $TopGroups | ForEach-Object { Get-NestedMembers -Group $_.SamAccountName -TopGroup $_.Name }
$Result | Export-Csv "<OutputPath.csv>" -NoTypeInformation

This exports all AD nested group members to a CSV file along with details such as member name, type, parent group, top group, and nested level.

Export All Nested Group Members Using Active Directory PowerShell

Simple & Quick
Find Active Directory Nested Group Members Using AdminDroid

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to the AdminDroid Active Directory Companion.
Access the Nested Group Membership report from the AD Reports»Groups»Group Membership.
This report lists all Active Directory nested group memberships with details such as member name, member type, parent group name, nested level, and more.
Use the download option in the top-right corner to export the Active Directory nested group membership list as an HTML, CSV, PDF file, etc.

Find Active Directory Nested Group Members Using AdminDroid

AdminDroid Active Directory Reporter

Gain Visibility into Nested Active Directory Groups for Secure Permission Management!

AdminDroid’s Active Directory reporting tool makes managing nested group structures easy with comprehensive reports. With advanced reporting, smart customization, in-depth filtering, alerting, and more, AdminDroid helps to ensure proper group assignments and prevents potential permission issues across the organization.

Stay Alert on Privileged Access Inheritance Through Nested Groups in Active Directory

Utilize the membership changes in privileged groups alert policy template to receive alerts whenever a group is nested under a privileged group, thereby granting elevated access.

Trace Top Nested Groups by Membership for Better Access Management in Active Directory

Utilize the Active Directory group membership dashboard to identify top nested groups by membership count and uncover overprovisioned groups to optimize the group structure.

Evaluate Recently Deleted Groups From Nesting to Prevent Access Disruptions

Check recently deleted groups from nested structures in Active Directory to ensure timely restoration of inherited permissions and prevent unintended access issues.

Assign Managers to Nested Groups for Effective Membership Management

Use the groups without manager report to designate a responsible manager for each critical nested group to ensure accountability and effective membership management.

Find Empty Nested Groups in Active Directory for Proper Membership Assignment

Identify empty groups that are being nested under another group to add necessary users or safely remove the group from the nested structure in Active Directory.

Track Nested Security Groups Membership to Prevent Unauthorized Access

Evaluate nested security group memberships to detect unauthorized users and prevent accidental inheritance of excessive or unintended permissions.

Overall, AdminDroid's Active Directory management tool simplifies tracking nested group memberships. Its advanced features let you gain quick insights into hierarchies across all group types and detect unauthorized modifications. This helps you maintain tighter control over your nested group structure across your Active Directory.

Explore a full range of reporting options

Download Live Demo

Important tips

Limit deep nesting of groups in Active Directory to avoid complex permission inheritance and performance degradation during the authentication process.

Apply meaningful naming conventions for groups that reflect their scope and purpose to simplify management, enhance clarity, and minimize errors when nesting groups.

Prevent circular nesting by ensuring that groups are never nested within themselves, directly or indirectly, to avoid unpredictable access rights.

Common Errors and Resolution Steps

Below are the possible errors and troubleshooting hints when handling nested group membership in Active Directory.

Error Add-ADGroupMember : Cannot find an object with identity: '<Group name>' under: 'DC=<YourDomain>,DC=<Com>'.

This error occurs in PowerShell when the ADD-ADGroupMember cmdlet is executed with a group name that does not exist in your directory.

Fix Verify the object's SAM account name and spelling before executing the ‘Add-ADGroupMember’ cmdlet, and ensure the object is in the same directory.

Error Get-ADGroup : The term 'Get-ADGroup' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs when you attempt to execute the Get-ADGroup cmdlet to get nested group membership details without importing the Active Directory PowerShell module.

Fix To resolve this error, first import the Active Directory PowerShell module using the cmdlet below and then execute the Get-ADGroup cmdlet.

Import-Module ActiveDirectory

Error The object <ObjectName> is already in the list and cannot be added a second time.

This error occurs in ADUC when you try to add a user, contact, or group to a group that is already a member, as Active Directory does not allow duplicate memberships.

Fix Check the existing group members before adding a new one by using the following cmdlet.

Get-ADGroupMember -Identity "GroupName"

Error Add-ADGroupMember : A global group cannot have a universal group as a member.

This error occurs in PowerShell when the Add-ADGroupMember cmdlet is executed with a group name that does not exist in your directory.

Fix By default, a global group can only contain users or global groups from the same domain. To nest a universal group, convert the global group to a universal or domain local group. Alternatively, create a new group of universal or domain local group type with the same purpose and members, then add the universal group.

Error Object <GroupName> cannot be added to group <GroupName> because : A global group cannot have a local group as a member.

This error occurs when you try to add a domain local group as a member of a global group in Active Directory.

Fix To avoid this error, convert the global group to a universal group using the following PowerShell cmdlet. Alternatively, create a new group with the appropriate scope, then add the domain local group as a member.

Set-ADGroup -Identity "<GroupName>" -GroupScope Universal

Active Directory

Frequently Asked Questions

Easily Manage Active Directory Nested Groups to Optimize Access Control!

How to add a group as a member of another group in Active Directory?

How to remove a nested group membership in Active Directory?

What are the best practices for nesting groups in Active Directory?

How to find all nested groups in Active Directory?

What is a circular nested group and how to find it in Active Directory?

What are the advantages and disadvantages of nested groups in Active Directory?

1. How to add a group as a member of another group in Active Directory?

Nesting groups in Active Directory provide an efficient way to manage permissions within larger groups with specific scopes. Instead of assigning permissions to each user individually, administrators can assign them to groups. As a result, nested groups automatically inherit those permissions. This structure creates a clear hierarchy that simplifies access management across the environment.

Create a nested group in Active Directory

Open the Active Directory Users and Computers console, navigate to the respective OU, and double-click the group you want to nest.
In the Properties window, go to the Member Of tab, and click Add.
Specify the parent group’s name in the Enter the object names to select field, click Check Names, and select the group.
If you want to add more than one group, repeat this step to add all the required groups.
After selecting all the required groups, click OK.
Finally, click Apply and then OK to save your changes.

Configure a nested group in Active Directory using PowerShell

You can use PowerShell to add multiple groups as nested groups without manual navigation and repetitive steps.

Run the following cmdlet to nest multiple groups into a particular group at once.

Add-ADGroupMember -Identity "<ParentGroupName>" -Members "<Group1>", "<Group2>”, “<Group3>"

Provide a list of child group names as comma-separated values directly in the -Members parameter, and replace <ParentGroupName> with the respective parent group name.
To ease this process, you can use a CSV file that lists the respective group names, as shown here.

Then, execute the following cmdlet after replacing the appropriate values to nest multiple groups in a single step.

$Groups = Import-Csv "<FilePath>" 
Add-ADGroupMember -Identity "<ParentGroupName>" -Members $Groups.<RespectiveColumnName>

Quickly configure nested groups in AdminDroid 365 with one-click actions!

Utilize AdminDroid’s Active Directory management actions to configure nested group memberships instantly.
With this feature, you can nest multiple groups at once and ensure efficient, hassle-free Active Directory management.

2. How to remove a nested group membership in Active Directory?

Over time, nested groups can accumulate redundant memberships, which complicate access management. Additionally, in certain cases, circular nesting occurs, where groups become members of each other in a loop. This creates a confusing web of inherited permissions that may result in chaotic permission assignments in Active Directory.

To prevent these issues, you may need to remove some groups from nested structure to ensure access rights remain accurate across the organization.

Remove a group from a nested group in Active Directory

Open the ADUC console, navigate to the desired parent group, and doube-click it.
In the Properties window, go to the Members tab, then select the nested group you want to remove.
Click Remove, then choose Yes in the confirmation dialog box to proceed, and finally select OK to save the changes.

remove-group-nested-group-active-directory

Remove a group from a nested group using PowerShell

Instead of manually navigating to each nested group's Members Of tab, you can use PowerShell to remove members from nested groups.
Run the following cmdlet after you replace <ParentGroupName> and <SubGroupName> with the appropriate values.
```
Remove-ADGroupMember -Identity "<ParentGroupName>" -Members "<SubGroupName>" -Confirm:$false
```
To remove multiple nested groups at once, list their names as comma-separated values in the -Members parameter. Alternatively, you can use a CSV file containing group information to simplify bulk removal by using the cmdlet below.

Ensure <FilePath>, <ParentGroupName>, and <RespectiveColumnName> are replaced with the appropriate values before executing the cmdlet.

$Groups = Import-Csv "<FilePath>" 
Remove-ADGroupMember -Identity "<ParentGroupName>" -Members $Groups.<RespectiveColumnName>  -Confirm:$false

If you don’t want to remove the entire group, you can specify the subgroup in the -Identity parameter and list the users you want to remove from that subgroup in the -Members parameter.

Handy tip💡: In addition to robust reporting, AdminDroid’s management capabilities allow you to remove nested group memberships directly from the report. Just navigate to Remove From Group option under Active Directory Management Actions»Membership to remove the nested group.

3. What are the best practices for nesting groups in Active Directory?

Group nesting is one of the most powerful techniques to effectively manage permissions and access in Active Directory. However, without a clear strategy, it can quickly become complex and difficult to manage permissions in Active Directory.

Here are the key practices for both single-domain and multi-domain environments:

AGDLP - Accounts»Global groups»Domain local groups»Permission assignment
AGUDLP - Accounts»Global groups»Universal groups»Domain local groups

Note: Distribution groups are meant for email communication, not for permissions. Avoid nesting them into security groups to prevent security vulnerabilities in permission management.

For users within a single domain (AGDLP Model)

When all members belong to the same Active Directory domain, follow these steps to structure group nesting effectively:

Add users and computers to global groups: Organize accounts into global groups based on roles or departments in the same domain.
Add global groups to domain local groups: Nest global groups into appropriate domain local groups to centralize permission management.
Grant domain local groups access to resources: Use domain local groups to control access to resources within the domain, such as shared folders, printers, and applications.

For users across multiple domains (AGUDLP Model)

For environments with multiple trusted domains, implement nesting using this approach:

Add users and computers to global groups: Keep accounts organized into global groups for various domains across the forest.
Add global groups to universal groups: Combine global groups from different domains into respective universal groups to simplify cross-domain access in a multi-domain forest. These universal groups can be members of domain local groups or other universal groups, but they cannot be placed inside global groups.
Add universal group to domain local group: Assign permissions to the domain local groups from the same domain or any trusted domain inside or outside the forest and combine them into universal groups to manage resource access centrally.

4. How to find all nested groups in Active Directory?

In large organizations, administrators often rely on group nesting to simplify the assignment of resource access for their members. By identifying all groups that are nested within a particular group, organizations can gain complete visibility into group hierarchies and ensure that each group inherits only the necessary privileges. Since native methods fall short in this regard, we can use PowerShell to list all nested groups in Active Directory.

Find all nested groups in Active Directory using PowerShell

Execute the script below to get a list of groups within a nested Active Directory group.

$AllGroups = Get-ADGroup -Filter *
$GroupsWithNested = foreach ($Group in $AllGroups) {
    $NestedGroups = Get-ADGroupMember -Identity $Group.SamAccountName -Recursive:$false | Where-Object { $_.objectClass -eq 'group' }
    if ($NestedGroups) {
        [PSCustomObject]@{
            GroupName    = $Group.SamAccountName
            NestedGroups = ($NestedGroups | Select-Object -ExpandProperty SamAccountName) -join ", "
        }}}
  $GroupsWithNested | Format-Table -AutoSize

find-nested-groups-active-directory-powershell

Keep track of all nested group additions or removals in real time with AdminDroid!

Stay informed in real time with AdminDroid by getting email and Teams notifications for unauthorized changes in all nested groups.

find-nested-groups-active-directory-admindroid

5. What is a circular nested group and how to find it in Active Directory?

In Active Directory, it's common to have a group as a member of another group at multiple levels. Unfortunately, it is also possible to create a group as a member of itself, directly or indirectly, which forms a circular relationship. These circular nestings turn a neat system into a tangled mess and make it difficult for administrators to track its membership details.

However, there is no simple way to detect circular nesting in Active Directory, as we have to inspect several groups to find pairs of groups that are members of each other. To simplify the process, you can use PowerShell to effectively find circular nested groups and manually fix any circular nesting you discover.

Detect circular nested groups in Active Directory using PowerShell

Run the following PowerShell script to find all circularly nested groups in Active Directory.

function Find-CircularGroups {
    param($Group, $Path = @($Group))
    try {
        $groupInfo = Get-ADGroup $Group -ErrorAction Stop
        $members = Get-ADGroupMember $Group -ErrorAction Stop | Where-Object { $_.objectClass -eq 'group' }
    } catch { return }
    foreach ($member in $members) {
        if ($Path -contains $member.Name) {
            [PSCustomObject]@{
                CircularNestedGroup = $Group
                GroupScope          = $groupInfo.GroupScope
                GroupType           = $groupInfo.GroupCategory
                CircularType        = if ($Path[-1] -eq $member.Name) { "Direct" } else { "Indirect" }
                NestedPath          = ($Path + $member.Name) -join " / "
            }
        } else {
            Find-CircularGroups $member.Name ($Path + $member.Name)
        }}}
  $CircularNested = Get-ADGroup -Filter * | ForEach-Object { Find-CircularGroups $_.Name }
if (!$CircularNested.Count) { 
    Write-Host "No circular nested groups found." 
} else { 
    $CircularNested | Format-Table -AutoSize
}

detect-circular-nested groups-active-directory-powershell

6. What are the advantages and disadvantages of nested groups in Active Directory?

While nested groups simplify the process of giving access to resources, they also introduce certain complexities such as group policy inconsistencies, authentication & authorization failures and more. Therefore, administrators must understand both the advantages and disadvantages of using nested group features to leverage them effectively and avoid potential pitfalls.

Advantages of nesting groups in Active Directory

Group-centric permission management Instead of assigning permissions directly to individual users, you can assign them to a parent group and nest child groups within it. This reduces redundancy and makes access control more organized.
Scalability for large organizations When managing thousands of users, nested groups help administrators organize access hierarchies in a logical way (for example, department → team → project), which makes it easier to scale permissions.
Effective Role-Based Access Control (RBAC) Nested groups align well with RBAC models. You can create role-specific groups and place them under broader access groups to ensure consistent permission management across systems and applications.
Efficient access inheritance Adding or removing a user in a child group automatically updates their inherited access via the parent group. This reduces repetitive permission assignments.

Disadvantages of nested groups in Active Directory

Complex permission structures Deep nesting can make it difficult to track effective permissions, especially when groups are spread across multiple levels.
Authentication and authorization delays Excessive nesting may affect authentication and authorization performance, especially when members are accessing resources in large environments.
Risk of over-privileged access Improper or circular nesting can grant users more access than intended, which can distort access paths and potentially lead to an entangled permissions hierarchy.