Windows groups can be squirrely. The key to grocking them is knowing the order windows processes, or “expands”, them in.
The rule of thumb is that a group can have as a member any other type of group that has already been expanded. For example, the local group is the most flexible because it’s expanded last. Pretty much anything can be a member of a local group because by the time the server’s authority expands it, all the other group memberships are known. Global groups, on the other hand, because they’re expanded first, are heavily restricted. At the time they’re expanded, we know very little: The client’s domain starts with the user’s SID and begins expansion from there.
“What is a Group?” has a set of nice hand-scrawled diagrams to walk you through it all.
Leave a Reply