Nested Active Directory Groups with Sharepoint

While configuring Windows Sharepoint Services v3 here at the UNC Project in Malawi earlier this week, I encountered some really odd issues with groups.  For ease of management, I have been basing the access to Sharepoint on Active Directory groups.  Users were already members of groups, I just added those groups to Active Directory groups I created for Sharepoint.  Those groups then correspond to groups in Sharepoint, that they are members of.  However, the test user accounts I created that were members of the groups in Active Directory didn’t have access to Sharepoint, unless I manually added them to the groups in the Sharepoint site (defeating the purpose of using the Active Directory groups in the first place, this was supposed to make it easier to manage).  In Active Directory, I also did not seem to be able to add any groups to a global group (or convert domain local groups to global groups / vice-versa), though this didn’t immediately appear to be related to me.

After several hours of troubleshooting, I eventually stumbled upon the help section for the different types of Active Directory Groups.  There I learned that Active Directory does not supported nested global groups if it is in Windows 2000 Mixed Mode.  I don’t think I have even seen a domain in Windows 2000 Mixed Mode, that was a “legacy” mode a decade ago.  The Active Directory domain here (running Server 2003 on all the DC’s) was somehow still set to Windows 2000 Mixed Mode.  Upping that to Windows Server 2003 Native Mode finally fixed my problem.  According to the documentation, Windows 2000 Native Mode should work as well, but why continue to live in the past.

Comments are closed.