Fix 0X00002143: Can't Nest Local Groups in Mixed Domain

When You'll See This Error

You're managing Active Directory in a mixed environment—say, Windows Server 2008 R2 domain controllers alongside older NT 4.0 BDCs or Windows 2000 servers. You try to nest a security-enabled local group (like a built-in Administrators group) inside another local group or a domain local group. Boom—error 0x00002143 shows up, and the operation fails. This isn't a random glitch; it's a deliberate restriction.

Root Cause

The error boils down to one thing: mixed domain mode. When your domain runs at a functional level that supports mixed mode (usually Windows 2000 mixed or NT 4.0 mixed), Active Directory blocks nesting of security-enabled local groups. Why? Older Windows versions (NT 4.0, for example) didn't support nested local groups. Microsoft had to keep backward compatibility, so they locked it down.

Think of it like this: you can't use a feature in a newer version if the older systems in the domain can't understand it. Local groups are meant for resource permissions (like a printer or folder), and nesting them would confuse NT 4.0 domain controllers that expect flat group membership.

The Fix

You've got two options: either raise the domain functional level or change the group type. Here's the step-by-step.

Option A: Raise the Domain Functional Level

This is the real fix if you don't need any NT 4.0 or Windows 2000 domain controllers anymore. Once you raise the level, nesting becomes allowed.

1. Open Active Directory Domains and Trusts from Server Manager or Administrative Tools.
2. Right-click your domain name and select Raise Domain Functional Level.
3. Choose a level higher than mixed. For most environments, Windows Server 2008 or Windows Server 2012 R2 is safe. Windows Server 2016 or 2019 works too.
4. Click Raise. Confirm the warning—once raised, you can't go back to mixed mode.
5. Wait for replication to complete across all domain controllers (usually a few minutes).

That's it. After raising, try the group nest operation again. It should work.

Option B: Convert the Group to Distribution or Change Scope

If you can't raise the functional level (maybe you're stuck with an old app or a legacy DC), you need to sidestep the restriction.

• Change group type to Distribution: Security-enabled groups are the problem. Convert it to a distribution group using ADUC (Active Directory Users and Computers). Right-click the group, go to Properties, General tab, and change Group type from Security to Distribution. Distribution groups don't enforce this restriction.
• Change group scope: If you need security, switch from Local to Global or Universal. Local groups have this nesting limitation in mixed mode. Right-click the group, Properties, General tab, and change Group scope to Global. You might need to remove all members first if the scope change is blocked.

What If It Still Fails?

If you've raised the functional level or changed the group and still get the error, check these:

• Replication delay: If you raised the level, make sure all DCs have replicated. Run repadmin /syncall on a domain controller to force it.
• Group is still security-enabled: Double-check the group type. Right-click, Properties, General tab—if it says Security, the fix didn't stick.
• You're nesting across domains: If the target group is in a different domain, local groups can't be nested across domain boundaries even at higher functional levels. Use domain local groups instead.

Had a client last month whose print server group kept failing. Turns out they had a lingering NT 4.0 DC that no one remembered. Once we decommissioned it and raised the level, the error vanished. So check your domain controllers list first.