I just read a great article by Rick Vanover called, Windows security groups: To nest or not? He asks the question because a nested security can be a bear to troubleshoot if you start getting quirky permissions issues.
In the article Rick states, “I would love to say that nesting group membership is prohibited, but there are occasional situations where it makes sense. My professional administration practice has limited nested group membership with a few guiding rules”
And this makes sense, there are very valid reasons to nest Active Directory groups but you need to make sure you have controls in place to keep it from getting out of control. Having the guidelines in place is helpful but if you have mutliple admins or help desk personnel working in ADUC (and many many companies have this situation), these rules can get overlooked.
For GroupID Self Service, we have created a help desk role that gives help desk permissions to manage user and group objects with controls in place as to what they can change, create, expire or delete. That way you can give them the tools they need to do their job that is more than an end user can do and less than what an Admin can do.
The control that is most pertinent to the nesting issue is our group hijacking workflow. Basically, if you try to nest a security group or distribution list into another group, the owner of the groug being nested (nestee?) needs to approve it. That way the group won’t start getting unwanted email or suddenly have permissions being applied to it that the group owner doesn’t want.
Following smart guidelines like those described in the article AND having the tools in place to help ensure guideline compliance will allow you to have a safely structured nested Active Directory group structure without the troubleshooting nightmare.