I have a security group SG-SomeResource providing access to a network resource. I also have a distribution group DG-MyOrg that describes an organizational unit.
Can I include DG-MyOrg as a member of SG-SomeResource, thereby granting access to the resource for all members of DG-MyOrg, or do I have to add each individual member of DG-MyOrg into SG-SomeResource?
Like so:
DG-MyOrg
- Anne
- Joe
- Sarah
SG-SomeResource
- Bob
- DG-MyOrg
Will Anne, Joe and Sarah now be able to access the resource, or only Bob?
Interestingly enough I wasn't able to find any clear documentation on how this works. I know that when going into Joe's profile to check his group memberships, SG-SomeResource will not be shown, as it's a nested group relation, but I am not sure if that also necessarily means he will not be granted access to the resource, or if SG membership lookups are recursive?
Best Answer
No this won't work.
For permissions in AD to properly propagate, the members of a security group have to be security principals.
Meaning that each object requires an active SID that can then be used to chain the permissions from one member to the next.
Because a distribution group has an SID that is not active, it breaks the chain.