Active Directory on-premise, basic rules.


Hello everyone! Not sure this is correct place to ask but i didn't found more suitable group. I want to ask a question regarding Active Directory groups basics. Everyone remember the rule: if we have two AD domains (in one tree), and we want to add some user from first domain into the group in the second, we need to create a group in the first domain add the user into it and add this group into the group in the other domain. But not the other way: to add a user directly from the first domain into the group in the second domain. I want to ask everyone, is this rule actual in 2020? This rule basically based on the technical limitations or this is just the best practice?

2 Replies
best response confirmed by aero2466 (Contributor)


Found the article

This groups named "nested", and this thing called to simplify AD administration. But not any technical limitations for this.



Yes, this is more like a best practice for managing users in AD Groups .

The limitation is trying to add a User from Forest A into a Group that is in Forest B. Most of the deployments keep users in a Single Domain and Groups in another Domain within the Same Forest of Active Directory. Hope this helps answer the question.