🟠 High   ⏱ 5–30 min  Last verified: 06 July 2027
Affected versions: Windows Server 2019

πŸ“– ~2 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On Windows Server 2019 domain controllers and member servers, AGUDLP nesting depth exceeded blocks user authentication, group policy processing, or directory access. The impact ranges from single-user lockouts to forest-wide replication and trust failures, and remediation must follow change-control because identity is foundational to every dependent service.

Environment & Reproduction

The issue reproduces on Windows Server 2019 domain controllers running the ActiveDirectory PowerShell module, typically after group changes, GPO edits, migrations, or replication interruptions. Validate on a lab DC promoted into a forest functional level of 2016 or higher, and capture state before changes.

Get-ADDomain | Select Name,DomainMode,Forest
Get-ADDomainController -Filter * | Select HostName,OperatingSystem

Root Cause Analysis

The defect stems from AGUDLP nesting depth exceeded where AD attributes, group memberships, policy precedence, or replication metadata diverge from the intended state. Common contributors include stale Kerberos tickets, oversized tokens, broken trust relationships, GPO targeting errors, and unresolved tombstone or SID conflicts after migration.

Quick Triage

Capture the failing user or computer object state, the relevant security event, and the resultant policy before applying changes. Snapshot replication health with repadmin and confirm time sync across DCs because Kerberos depends on a five-minute clock skew window.

repadmin /replsummary
w32tm /monitor

Step-by-Step Diagnosis

Walk the identity stack from the user object, through group membership and PSO precedence, to the authenticating DC and DNS resolver, collecting evidence for AGUDLP nesting depth exceeded at each hop.

Get-ADGroup -Identity 'AppAccess' -Properties Member | Select -ExpandProperty Member
Illustrative mockup for windows-server-2019 β€” terminal_or_powershell
Diagnosis view for group nesting depth β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Apply the targeted remediation below to restore expected behaviour for AGUDLP nesting depth exceeded, then trigger replication and gpupdate so the change propagates across the domain.

Still having issues? Our Help Desk team can diagnose and resolve this for you. Get in touch for a free consultation.

# Flatten nesting: replace deep chains with direct membership in resource group
$members = Get-ADGroupMember 'AppAccess' -Recursive
Add-ADGroupMember 'AppAccessFlat' -Members $members
Illustrative mockup for windows-server-2019 β€” terminal_or_powershell
PowerShell remediation for group nesting depth β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Where the primary fix is blocked by change control, downtime windows, or licence limitations, the alternative path below achieves the same outcome via UI tools, scripted bulk operations, or staged group rollout.

# Use Get-ADGroupMember -Recursive only when depth is shallow; rebuild AGDLP

Verification & Acceptance Criteria

Confirm the user, group, or trust now reports the expected state and that a representative authentication or access operation succeeds end-to-end against the affected workload.

Get-ADGroupMember 'AppAccessFlat' -Recursive | Measure

Rollback Plan

If the change introduces regressions, restore the pre-change attributes from AD Recycle Bin, authoritative restore, or the documented backup, then force replication so the rollback is consistent across DCs.

Remove-ADGroupMember 'AppAccessFlat' -Members $members -Confirm:$false

Prevention & Hardening

Codify the validated identity baseline in Group Policy, fine-grained password policies, and AD delegation templates, and add scheduled health checks via repadmin, dcdiag, and AAD Connect Health where applicable.

# Document group hierarchy and limit nesting to four levels max

Related: Kerberos KRB_AP_ERR_MODIFIED, NTLM fallback warnings, GPO event 1085, AD replication events 1864/2042, AAD Connect export errors, and trust authentication failures in the Security and Directory Service logs.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Active Directory Domain Services on Windows Server 2019, AD Recycle Bin, Fine-Grained Password Policies, AAD Connect, AGDLP, FSMO roles, and the official AD Forest Recovery Guide.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.