Find Nested Groups in Active Directory

by Robert Allen

In this guide, I’ll show you how to find nested AD Groups with PowerShell and the AD Pro Toolkit. Nested groups in Active Directory can provide users with unwanted permissions and it is import to review them on a regular basis.

In this article:

What are Nested Groups

Nested groups are when one Active Directory group is a member of another group. Nested groups inherit the permissions of the group it is a member of.

For example, I have a group called “it_wrk_admins” and it is a member of the “Domain Admins” group. All of the members of the it_wrk_admins group will inherit the permissions of the Domain Admins group.

nested groups in active directory

Nested AD Groups can simplify assigning permissions to network resources but can be a huge risk if not closely managed. In the examples below, I’ll show you how you can review nested groups and group members.

Option 1. Find Nested AD Groups using AD Pro Toolkit

The AD Pro Toolkit makes it very easy to find all nested groups in your Active Directory environment. In addition, there are multiple group membership reports that can be run manually or on a schedule.

To find all nested groups in Active Directory, follow the steps below.

  1. Click on “Group Reports” and select the “Nested Groups” report.
  2. Click “Run” to generate the report or click browse to select an OU.
  3. To export the report click “Export” and select csv, excel or pdf.
nested ad groups report

In the screenshot above, you can see I have 17 nested groups in my Active Directory domain. For example, Nest_group2 is a member of Nest_group1. You can expand the parent group to see its members.

nested ad groups and group membership

Nested Group Tree View Report

To get a hierarchy view of all nested groups run the nested groups tree view report. These are groups that have members that are groups, it then checks the child group for nested groups. This will show you the complete hierarchy of a group.

nested groups recursive loop

In the example above, Nest_group1 has three group members. Some of those groups also have group members and so on. This can be very dangerous and provide users with unwanted permissions and access. This is difficult to find using PowerShell scripts and requires lots of manual steps.

Download a Free Trial of the AD Pro Toolkit and try these reports in your domain.

View AD Group Membership

To check the membership of all or specific groups click on group reports > general > group members report.

By default this report will run on the entire domain, to limit the scope click on browse or search.

view ad group membership

For each member its displays you can select to include several user/group attributes.

Username, Name, ObjectClass, Group, Group Type, Scope, Description, First Name, Last Name, Office, Telephone, Street Address, PO Box, City, State, Zip, Email, Title, Department, Company, Manager, Proxy Addresses, Initial, Display, and Homepage.

Option 2. Find Nested AD Groups using PowerShell

In this example, I’ll use the Get-ADGroup command to find nested groups in Active Directory.

Step 1. Open PowerShell as Administrator.

Step 2. Copy and run the command below. 

Get-ADGroup -filter * -Properties MemberOf | Where-Object {$_.MemberOf -ne $null} | Select-Object Name,MemberOf
get nested groups with powershell

You can see this will display all nested groups in the domain. For example, the group “Account_Local” has a member that is a group called “Accounting_Folders”.

You can also use the Get-ADGroupMember cmdlet which supports recursive lookups, this will return the members of any nested group. 

Get-ADGroupMember nest_group1 -recursive | select name, objectclass
nested groups recursive

The problem with the above command is that it doesn’t show group membership. The Get-ADGroup command is a better option to see which groups are a member of another group.

Conclusion

In this guide, I showed you how to find nested groups in Active Directory using PowerShell and the AD Pro Toolkit. Nested groups in AD can lead to unintended access permissions by inheriting rights from a parent group. Nested groups can be challenging to audit and report as groups can be nested in multiple groups and those groups can also be nested in other groups. It becomes complex and challenging for administrators. It can also be challenging to write a PowerShell script that finds all groups that are a member or a member of. The GUI group management tool makes reporting on nested groups very easy.

Related: Export Group Members to CSV

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

1 thought on “Find Nested Groups in Active Directory”

  1. In Example 4, if I wanted to limit this to security groups only, and have the output show how many users are in the nested group is there a way to do this?

    Reply

Leave a Comment