Last weekend I did some scripting again and stumbled upon something I found rather funny.
For as long as I can remember, it has not been possible to make a domain local group a member of another domain local group; you’ll get an error.
This is by design and logical when you think of the ‘old’ AGDLP principle.
But… that’s in a GUI… so what if you were to us PowerShell to accomplish this anyway?
Note that this is not be something you would want since it goes against a bunch of best practices and because the GUI gives an error when trying this, it’s just not meant to do this!
With the following command you would be able to make a domain local group a member of another domain local group:
Add-ADGroupMember -Identity ( Get-ADGroup -Filter ‘Name -like "DL-Group1"’ ) -Members ( Get-ADGroup -Filter ‘Name -like "DL-Group2"’ )
But let’s go a little further on the crazy side… Let’s make a domain local group a member of itself Image may be NSFW.
Clik here to view.
Now, in the GUI you will get an error when trying this, but what about PowerShell?
No error, it just ‘works’:
Add-ADGroupMember -Identity ( Get-ADGroup -Filter ‘Name –eq "DL-Group1"’ ) -Members ( Get-ADGroup -Filter ‘Name –eq "DL-Group1"’ )
Again a big fat note: I’ve written this post to show that it’s possible, it is not in any way intended to motivate you to start doing this in your environments! This goes against all rules, so please don’t!
