Restrictions on nested groups on Windows

There are restrictions on the use of nested groups. These result partly from the domain functional level and partly from IBM® MQ restrictions.

Active Directory can support different group types within a Domain context depending on the Domain functional level. By default, Windows 2003 domains are in the " Windows 2000 mixed" functional level. (Windows Server 2008 and Windows Server 2012 follow the Windows 2003 domain model.) The domain functional level determines the supported group types and level of nesting allowed when configuring user IDs in a domain environment. Refer to Active Directory documentation for details on the Group Scope and inclusion criteria.

In addition to Active Directory requirements, further restrictions are imposed on IDs used by IBM MQ. The network APIs used by IBM MQ do not support all the configurations that are supported by the domain functional level. As a result, IBM MQ is not able to query the group memberships of any Domain IDs present in a Domain Local group which is then nested in a local group. Furthermore, multiple nesting of global and universal groups is not supported. However, immediately nested global or universal groups are supported.