Identify recursive groups
Groups can be members of other groups. Active Directory allows "children" to become "parents" within their own family tree. If the nested group structure loops in a circular way group membership assignments become ineffective and nonsensical. Through these recursions or circular nested groups every user who is a member of any of the recursive groups is granted all of the access rights of all of the groups. The consequence is a confusing mess of excessive access rights. ARM automatically identifies all recursions in your system. We highly recommend removing the recursion by breaking the chain of circular group memberships.
If you manage groups and group memberships only with ARM, recursions can no longer occur because ARM prevents recursions from being created.
The deeper your group structure the more likely you are to have circular nested group structures. We therefore recommend keeping an eye on the number of nested group levels.
Identify groups in recursion (web client)
Break the circle by managing group memberships (rich client) or removing group memberships (web client).
- Select Dashboard.
- Double-click Groups in recursions.
- ARM automatically switches to Multiselection.
- The scenario Groups in recursions is active. ARM lists all groups included in the recursion.
- Click on a Group.
- ARM lists all users and groups in the selected recursion.
- Double-click on a group.
- ARM switches to the Accounts view. You can see an example of a recursion.
- The recursion is indicated by the orange line.