Find Nested Group Members ~ My blog about Active Directory and everything else

Wednesday, June 24, 2009

Find Nested Group Members

I've run into a few questions recently where someone wanted to find the members of a security group. That in itself is fairly straight forward.

However what if your security group has nested groups and users. Then those nested groups may also have additional nested groups and users. What does that query look like? How do you find all the members?

Suppose I have the following Example


  • TopLevelGroup -- Global Security Group

    • TopLevel -- User
    • TopLevel2 - User2
    • Nested1 - Global Security Group
        Nested1 Members
      • Nested User
      • Nested User 2
      • InsideNested - Global Security Group
          InsideNested Members
        • InsideNested1







There are several ways to do this, I'm not saying these are the only methods but these are three examples that work.

The first method is to use the PowerShell. For this example you will need the Quest AD Cmdlets. Thanks to MVP Dmitry Sotnikov for the Quest cmdlets.

Get-QADGroupMember "Group Name" -indirect



The second method is using ADFIND by MVP Joe Richards

adfind -default -bit -f "memberof:1.2.840.113556.1.4.1941:=DN of Group" samaccountname -nodn





More on that query here

Big Thanks to Chris Dent for that part. He was also involved in the questions. Chris was an MVP and should be an MVP again. One of the best and most knowledgeable guys around.


Now on to method three. Some people (especially in classified networks) can't install the Quest cmdlets or adfind (or any third party tool)

The Microsoft DStools can be used. For this example I'll use dsquery and dsget

dsquery group -samid "group name" | dsget group -members -expand



I hope that helps someone out there. Please let me know via comments if there are any questions.

Thanks

Mike

12 comments:

  1. Hmm... interesting.

    This is about 0.1% of what Gold Finger's "patent-pending" capabilities do during the course of accurately determining who really has what access on an Active Directory object.

    Sanjay Tandon
    Former Microsoft Active Directory Security Program Manager

    ReplyDelete
  2. @Sanjay

    Thanks, looking forward to seeing what Gold Finger can do.

    One question that comes up a lot on the boards is "how do I know if a security group is being used"

    To me that is tough because to truly know you have to go through not only AD but every file share and folder across the entire network. There are other places that need to be checked but I don't want to write a blog entry in the comments here :) If that is part of the 99.9% that you are talking about then it will be impressive.

    I'd also add that this post doesn't even begin to scratch the surface of the power of the Joeware tools or all the things that can be done using Powershell.

    ReplyDelete
  3. I think it should be added, that - as far as I know, but correct me if I'm wrong - none of these methods will work this way in multidomain environment, when we ask for the membership of the group from domain A, and members come from domain B through the membership in the group from domain B (GR_DOM_A has GR_DOM_B has USERS_DOM_B).
    At least - in adfind method it didn't work for me, but I think it wouldn't work also in the other two.
    There are of course exceptions (we direct the query to GC and all the groups have Universal scope), but I tested it only using adfind. I should probably do some more tests, but maybe You've already tested it.
    Regards
    yacoob

    ReplyDelete
  4. @yacoob -- I'll try and test this weekend, have to build out another domain in my lab first.

    ReplyDelete
  5. Mike,

    Last week, we shipped a FREE and 100% SUPPORTED edition of the Gold Finger, that features over 50 useful Active Directory security reports including -

    1. List of all privileged domain user accounts
    2. List of all currently locked domain accounts
    3. List of all domain accounts about to expire
    4. List of all nested security groups
    5. List of all Active Directory objects where a user has permissions
    etc.

    Over the next few weeks, you can expect us to double the number of reports, and perhaps even offer a FREE AD auditing solution :-)

    BTW, the list of reports can be found at http://www.paramountdefenses.com/goldfinger_reports.php and you can download your free version http://www.paramountdefenses.com/goldfinger_download.php

    You're welcome to give it a shot - why waste your time writing scripts and using free unsupported tools, when you can use a free, supported and Microsoft endorsed tool?

    Oh, and this too installs in under 2 minutes, requires 0 config changes to your AD, and needs absolutely no administrative privilege :-)

    You see, having made what is considered largely impossible as easy as touching a button, making something as easy as generating basic security reports FREE is the least we can do for the AD ecosystem!

    Cheers,
    Sanjay

    ReplyDelete
  6. If you are looking for one time export just download AD Admin & Reporting Tool by ldapsoft - Reporting from this tool is as easy as it can be, after connection click Audit Export and export all the reports in nice pdf format. Please note that the version is unrestricted for 14 days.

    http://www.ldapsoft.com/activedirectoryreports/adreports.html

    ReplyDelete
  7. If you don't want to use Quest, ADFind or other tools, but just "plain" PowerShell, try this (our .NET Geek showed me how to do it):

    $name = "arosen" #SamAccountName
    $assembly = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement")
    $context = New-Object -typename "System.DirectoryServices.AccountManagement.PrincipalContext" -argumentlist $([System.DirectoryServices.AccountManagement.ContextType]::Domain)
    $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($context,$([System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName),$name)
    $user.GetAuthorizationGroups() | select SamAccountName

    ReplyDelete
  8. Awesome tip Andy!! Thanks for posting.

    ReplyDelete
  9. did anyone ever resolve teh issue with multi domains??

    ReplyDelete
  10. Or, for shortness, and assuming the current user (for use in login scripts or other):

    [System.DirectoryServices.AccountManagement.UserPrincipal]::Current.GetAuthorizationGroups()

    ReplyDelete
  11. Command won't work, not recognized, is there a specific module to import first?????

    ReplyDelete