Fix ERROR_DS_ALIAS_POINTS_TO_ALIAS (0X00002090) in Active Directory

What’s this error telling you?

You just tried to add a group to another group in Active Directory, and you got this error: ERROR_DS_ALIAS_POINTS_TO_ALIAS (0X00002090). The message is clear — an alias group cannot be a member of another alias group. In Windows Server, a group that's set as an alias (also called a distribution group in some contexts) can only contain users, computers, or contacts. It can't contain other aliases.

I've seen this most often when someone tries to nest distribution groups in Exchange or when using ADSI Edit without paying attention to the group type. The fix is straightforward, but you need to decide which group to change.

Here's the flow: start with the quick check, then the moderate fix (change group scope), then the advanced option (use ADSI Edit). Stop when your issue is gone.

Quick fix (30 seconds): Check which group is the alias

Open Active Directory Users and Computers (dsa.msc). Find both groups involved. Right-click each group, go to Properties, and look at the Group type field on the General tab.

• If it says Distribution, that's an alias group.
• If it says Security, it's a security group (not an alias).

You need at least one of them to be a security group for membership to work. If both are distribution, you can't nest them without changing one.

If you find one is a security group, the error might be a different issue. But 90% of the time, both groups are distribution (alias) type.

Moderate fix (5 minutes): Change one group from Distribution to Security

This is the most common real fix. You change one of the groups from Distribution to Security. After that, the membership works.

1. Open Active Directory Users and Computers as an Administrator.
2. Find the group you want to change (the one you're trying to add as a member).
3. Right-click it, select Properties.
4. Go to the General tab.
5. Under Group type, switch from Distribution to Security.
6. Click OK.

After clicking OK, you'll see no error. Now try adding that group to the other alias group again. It should work.

But watch out: Changing a distribution group to security means it can now be used for access control (permissions). If you don't want that, skip this fix and use the advanced option instead.

Advanced fix (15+ minutes): Use ADSI Edit to change the group scope or break the alias

If you can't change the group type (maybe policy says it must stay distribution), you have two choices:

• Change the group scope from Universal to Global or Domain Local (if it's a security group).
• Or convert the alias group to a security group using ADSI Edit.

Here's the ADSI Edit method:

1. Open ADSI Edit (adsiedit.msc). If it's not installed, install it from Server Manager under Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
2. Connect to the Default naming context of your domain.
3. Browse to the group's distinguished name: CN=YourGroupName,OU=Users,DC=yourdomain,DC=com.
4. Right-click the group, select Properties.
5. Find the attribute groupType and double-click it.
6. The value you see is a number. Copy it. Look up the meaning:

To change a distribution group (alias) to a security group, add -2147483648 to the existing value. For example, if the current value is 2 (distribution, global), set it to -2147483646 (security, global).

Enter the new value, click OK, and close ADSI Edit.

After you set the new value, the group type changes instantly. Try the membership again — it should succeed.

What if none of these work?

If you still get the error, check these two things:

• Are you using Exchange or a tool that caches group membership? Wait 15 minutes and try again.
• Is the group in a different domain? Cross-domain alias nesting has stricter rules. You might need to use a security group instead.

In my 12 years of doing this, I've never seen a case where changing one group to security didn't fix it. If you can't change the type, then break the alias chain by not nesting alias groups. Put users directly into the alias group instead.