Share via

How to remove the circular nested group and nested group from AD in a best way?

Khushboo Kumari 20 Reputation points
2025-07-23T03:26:45.7333333+00:00

Hi Expert,

We have found in Active Directory and identified many circular nested groups (indirect chains) and nested groups. In some cases, we also found direct circular nesting or self-cycles (where a group is added as a member of itself).

User's image

Direct circular nesting

User's image

Circular Nested Groups (Indirect chain)

I would appreciate your recommendations on the best approach to clean up these types of access issues without impacting existing access.

Would you like me to give you a recommended approach to safely clean up circular and nested groups in AD without breaking access?

Thanks!

Windows for business | Windows Server | Directory services | Active Directory
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hoang Phan0701 155 Reputation points Independent Advisor
    2025-08-04T03:23:06.1166667+00:00

    Dear Khushboo Kumari,

    My name is Hoang Phan, and I understand that you are having some concern related to nested security group.

    I found a script on an external site that can help identify circular nested groups. I tested it in my environment, and it works for simple cases. Please try it in your test environment first to see if it meets your needs:

    https://ss64.com/ps/syntax-circular.html#:~:text=If%20an%20Active%20Directory%20%28AD%29%20group%20has%20another

    Cleaning these nested groups is more complex, as groups can be linked to AD permissions, GPO filtering, file shares, and NTFS permissions. Before making changes, document all permissions and where the groups are used.

    Recommended steps:

    1. Map group usage – Check file/folder permissions (icacls or Get-Acl), share permissions, app roles, and GPO filtering.
    2. Assess impact – Create a report of effective permissions and note which users would lose access if groups are flattened.
    3. Plan cleanup – Remove redundant memberships, create new flat groups if needed, and populate them with correct users.
    4. Test first – Duplicate groups in a test OU/lab, apply changes to a small set of users, and verify access.
    5. Migrate in phases – Add new groups alongside old ones, then remove old groups only after validation.
    6. Document & monitor – Keep track of changes, and monitor Event Logs and tickets for any access issues.

    I hope this information proves helpful. Please don’t hesitate to reach out if you need further clarification—I’ll be happy to assist 🙂

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Best regards,

    Hoang Phan

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.