> For the complete documentation index, see [llms.txt](https://docs.alemba.com/asm-hermes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.alemba.com/asm-hermes/setup-and-configure-asm/configuring-your-system/system-administration-settings/preview-features-advanced-options/settings/enable-active-directory-mappings-to-sub-groups.md). # Enable Active Directory Mappings to Sub Groups The definition of (nested) sub groups in Active Directory is as follows: |

What are nested groups in Active Directory?

Group nesting is when you add a group as a member of another group. Although group nesting is often required, AD nests groups based on a parent-child hierarchy. In other words, if you make Group 1 a member of Group 2, the users in Group 1 have, by default, the same permissions as the users in Group 2.

| | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | The preview feature should therefore include all persons in an AD scan (configured for an AD security group) of the group being scanned, and any groups that also have membership to that mapped group. With this included the Active Directory LDAP connector can import Users via the following mappings: * groups with membership to a mapped group * OUs within a mapped group * OUs within a mapped OU This **does not** include groups within a mapped OU. However, the recommendations on this are: 1. As this is a Preview Feature, and you decide to use it, please heavily test it in your Test environment first. It is not a core supported feature yet as it has only been written for a specific customer. Any issues with this feature will not be “hotfixed” for customers, and may only be addressed in a future release. 2. It is recommended to avoid using this obviously complex membership configuration with ASM. Best practice is to create 3-4 security groups (eg ASM Admin, ASM Analyst, ASM User) in Active Directory, specifically for ASM, and provide membership to those groups as per the User's access requirement. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.alemba.com/asm-hermes/setup-and-configure-asm/configuring-your-system/system-administration-settings/preview-features-advanced-options/settings/enable-active-directory-mappings-to-sub-groups.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.