What Is Dangerous Group Nesting?
Active Directory groups are the primary access control mechanism for resources across the domain. When users are added to groups, they inherit all permissions associated with those groups โ including permissions inherited through nested group memberships.
Dangerous group nesting occurs when groups are nested in ways that grant unintended or excessive privileges. A low-privileged user account may belong to a group that is nested inside another group, which is itself a member of Domain Admins โ creating a privilege escalation path that is invisible without specifically tracing the full membership chain.
These paths are extremely common in mature AD environments: they accumulate over years of reorganizations, migrations, and provisioning shortcuts, and they are never cleaned up because no one knows they exist.
How It Works
AD group membership is recursive. When Group A is a member of Group B, all members of Group A inherit Group B's permissions. This nesting can go many levels deep, and the effective permissions of any user are the union of all group memberships across the entire chain.
The danger is compounded by Protected Groups โ groups like Domain Admins, Enterprise Admins, and Backup Operators that are protected by the AdminSDHolder mechanism. Any account that is a member (directly or transitively) of these groups has its ACL overwritten every 60 minutes. This means a user nested 5 levels deep into Domain Admins effectively has the same privileges as a direct member.
Attackers use tools like BloodHound to map these paths in seconds.
The Attack Chain
Step 1 - Map Group Membership Chains
# Find all effective members of Domain Admins (including nested)
Get-ADGroupMember -Identity "Domain Admins" -Recursive |
Select-Object SamAccountName, ObjectClass, distinguishedName
# Find transitive group memberships for a specific user
$user = "jsmith"
(New-Object System.DirectoryServices.AccountManagement.UserPrincipal(
[System.DirectoryServices.AccountManagement.PrincipalContext]::new(
[System.DirectoryServices.AccountManagement.ContextType]::Domain))).FindByIdentity($user).GetAuthorizationGroups() |
Select-Object Name
# BloodHound Neo4j query โ find shortest paths to Domain Admins
# MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN [email protected]"})) RETURN p
Step 2 - Identify the Weakest Link
The attacker targets the easiest-to-compromise account in the chain. A service account with a weak, non-expiring password nested 3 levels deep into Domain Admins becomes the attack vector:
# Find Kerberoastable accounts that are transitively DA members
Get-ADGroupMember -Identity "Domain Admins" -Recursive |
Get-ADUser -Properties ServicePrincipalName, PasswordLastSet |
Where-Object {$_.ServicePrincipalName -ne $null} |
Select-Object SamAccountName, ServicePrincipalName, PasswordLastSet
Step 3 - Escalate Through the Chain
Once the weak link is compromised (via Kerberoasting, password spray, or phishing), the attacker inherits Domain Admin privileges through nested membership โ with no further exploitation required.
Detection
Windows Event IDs
| Event ID | Source | What to Look For |
|---|---|---|
| 4728 | DC - Security | Member added to global security group |
| 4756 | DC - Security | Member added to universal security group |
| 4732 | DC - Security | Member added to local security group |
| 4735 | DC - Security | Security-enabled global group changed |
๐ก Tip: Alert on any modification to Domain Admins, Enterprise Admins, or Schema Admins in real time. These changes should be extremely rare.
SIEM Detection Query (Elastic KQL)
event.code: ("4728" OR "4732" OR "4756") AND
winlog.event_data.TargetUserName: ("Domain Admins" OR "Enterprise Admins" OR "Schema Admins" OR "Backup Operators")
Remediation
๐ก Quick Win: Run the PowerShell snippet above and list all transitive members of Domain Admins. Remove any service account, shared account, or former employee account immediately.
1. Audit and Clean Nested Group Memberships
$tier0Groups = @("Domain Admins","Enterprise Admins","Schema Admins","Backup Operators")
$results = @()
foreach ($group in $tier0Groups) {
Get-ADGroupMember -Identity $group -Recursive | ForEach-Object {
$results += [PSCustomObject]@{Group=$group; Account=$_.SamAccountName; Type=$_.ObjectClass}
}
}
$results | Export-Csv tier0_audit.csv -NoTypeInformation
2. Implement the Tiered Administration Model
| Tier | Scope | Admin Accounts |
|---|---|---|
| Tier 0 | Domain Controllers, AD, PKI | Dedicated DA accounts only |
| Tier 1 | Member servers, applications | Server admin accounts |
| Tier 2 | Workstations, end-user devices | Helpdesk accounts |
Credentials must never flow upward. A Tier 2 helpdesk account must never be a member of any Tier 0 group.
3. Monitor Group Changes Weekly
$cutoff = (Get-Date).AddDays(-7)
Get-ADGroup -Filter * -Properties whenChanged |
Where-Object {$_.whenChanged -gt $cutoff -and $_.Name -in $tier0Groups} |
Select-Object Name, whenChanged
How EtcSec Detects This
EtcSec maps the complete group membership graph and identifies dangerous nesting patterns automatically.
DANGEROUS_GROUP_NESTING flags transitive membership chains that grant unintended Tier 0 privileges โ surfacing hidden paths only visible through full graph analysis.
EXCESSIVE_PRIVILEGED_ACCOUNTS counts all accounts with effective Domain Admin privileges (direct and transitive), highlighting environments where privilege has accumulated beyond operational need.
PATH_ACL_TO_DA and PATH_GPO_TO_DA complement group analysis with permission-based and GPO-based escalation paths to Domain Admin.
โน๏ธ Note: EtcSec automatically maps group nesting in every AD audit. Run a free audit to discover hidden Domain Admin paths in your environment.
Related articles: ACL Abuse and DCSync | GPO Misconfigurations
