Documentation forAccess Rights Manager

Identify recursive groups


Groups can be members of other groups. Active Directory allows "children" to become "parents" within their own family tree. If the nested group structure loops in a circular way group membership assignments become ineffective and nonsensical. Through these recursions or circular nested groups every user who is a member of any of the recursive groups is granted all of the access rights of all of the groups. The consequence is a confusing mess of excessive access rights. ARM automatically identifies all recursions in your system. We highly recommend removing the recursion by breaking the chain of circular group memberships.


Administer only with ARM and recursions can no longer happen because ARM does not allow the creation of recursions.


Related features

The deeper your group structure the more likely you are to have circular nested group structures. We therefore recommend keeping an eye on the number of nested group levels.

Identify groups in recursion (web client)

Break the circle by managing group memberships (rich client) or removing group memberships (web client).


Step-by-step process

  1. Select the dashboard.
  2. Double-click on "groups in recursions".


  1. ARM automatically switches to "Multiselection".
  2. The scenario "groups in recursions" is active. ARM lists all groups included in the recursion.
  3. Click on a Group.
  4. ARM lists all users and groups in the selected recursion.
  5. Double-click on a group.


A010-03 EN Rekursive Gruppen identifizieren

  1. ARM switches to the account view. You can see an example of a recursion.
  2. The recursion is indicated by the orange line.