STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN Fix (0XC00002D5)

Quick Answer

Raise the domain functional level to Windows Server 2003 or higher, or change the group type from Security to Distribution if security isn't needed.

Why This Happens

This error shows up when you're working in a Windows domain that's still running in mixed mode (functional level Windows Server 2003 or lower, with NT 4.0 domain controllers still in the picture). The culprit here is almost always a security-enabled global group that you're trying to stick inside another group — either a universal group or another global group. Windows 2000 and NT 4.0 domain controllers flat-out refuse to allow nesting of security-enabled global groups because they don't have the group expansion logic needed to handle it safely. The error code 0xC00002D5 is the system's way of saying 'nope, not happening.'

You'll hit this most often when someone tries to add a global group like Domain Users into a universal group for cross-domain access, or when an admin inherits a 20-year-old domain that's never been upgraded past Windows Server 2003 functional level. The error can also pop up in Group Policy Management Editor when applying security filtering or delegating permissions.

Don't bother trying to force the nesting via cmdlets like Add-ADGroupMember — it'll throw the same error. The system's not buggy; it's enforcing a hard rule from the old NT era.

Fix Steps

1. Check your domain functional level
   Open Active Directory Domains and Trusts, right-click the domain, select Properties, and look at Domain functional level. If it's Windows Server 2003 or lower, you're in mixed mode.
2. Raise the functional level
   If no NT 4.0 domain controllers remain, raise the level to Windows Server 2008 or higher. In Active Directory Domains and Trusts, right-click the domain, choose Raise Domain Functional Level, pick Windows Server 2008 (or 2012/2016/2019 depending on your OS), then click Raise. Wait for replication to finish.
3. Confirm the change took effect
   Run this in PowerShell:
   

   Get-ADDomain | Format-List DomainMode

   
   A result of Windows2012R2Domain or higher means you're good.
4. Now try nesting again
   Use ADUC (Active Directory Users and Computers) or PowerShell to add the global group to the target group. For example:
   

   Add-ADGroupMember -Identity 'YourUniversalGroup' -Members 'YourGlobalGroup'

   
   It should work now.

Alternative Fixes

• Change the group scope — If you can't raise the functional level (maybe because of legacy apps), convert the global group to a universal group using ADUC. Right-click the group, go to Properties > Group scope, change to Universal. Universal groups can be nested in any mode. Just remember: universal groups replicate to all global catalogs, so use them sparingly.
• Change the group type to Distribution — If the group is for email distribution or non-security purposes, flip it from Security to Distribution in ADUC. Distribution groups don't have the nesting restriction because they can't be used for ACLs. Open group properties, go to Group type, select Distribution. No functional level change needed.
• Use a workaround with nested group membership — Create a new universal group, add the original global group's members to it explicitly. Not elegant, but it bypasses the restriction without changing the domain.

Prevention Tip

Don't leave your domain in mixed mode longer than necessary. The moment you've retired all NT 4.0 and Windows 2000 domain controllers, bump the functional level to at least Windows Server 2008. It enables universal group caching, fine-grained password policies, and — most critically — unrestricted group nesting for security groups. If you're building a new domain today, set the functional level to Windows Server 2016 or higher from the start. That'll save you from ever seeing this error again.