Nested groups in Active Directory and EPiServer CMS
Have you ever tried nested groups in Active Directory (AD) and experienced problems when logging on with one of these in EPiServer CMS?
I came across this problem in a project where I had potentially 2000+ groups which should have access to Edit- and Admin-mode. I realized quickly that it would be way too much work adding all these groups in Web.config and giving them the access rights they needed. A solution to this was to create one “master” editors group and one “master” administrators group, adding them to the pool of groups in Web.config and then make all groups members of one of the two. I then fixed the settings in my EPiServer solution to use Active Directory Provider. Problem solved! Well, so I thought…
After creating a few groups I tried to login with a user belonging to one of these sub-groups, and nothing happened. I could see that my authentication was OK since I didn’t get a message saying my log-on failed but there was no redirecting or changes on page. Since my Web.config settings were correct I thought that the problem must lie with the groups in AD. I knew that the sub-groups were OK using AD group scope “Global” however I was unsure about my “master” groups since they were of the scope “Domain Local”. I had used this scope since “Universal” was grayed out and a “Global” group didn’t want to have another “Global” group as a member (at least when I tried it on my server).
I understood after reading more about the different group scopes that I wanted my “master” groups to be “Universal”, however to make this option available I had to change my AD mode from Mixed to Native.
After changing the AD mode to Native and using “Universal” scope on my “master” groups, I can now use nested groups in my EPiServer solution!