Re: Querying AD Groups
- From: "Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 10 Feb 2006 12:42:47 -0600
"bxr222" <bxr222@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3532DD5C-20EC-435D-BB57-1FB4BF07DF66@xxxxxxxxxxxxxxxx
I ran into a problem today when querying AD Groups via WSH using either the
LDAP or WinNT provider. When I query Global Groups for their memberships I
am
only returned users and not the nested Global Groups. When I query Domain
Local Groups I get both users and Global Groups as output. We are on a
Windows 2000 domain. Anyone have any ideas? Thanks in advance.
The WinNT provider never exposes nested groups, except in local groups. The
LDAP provider exposes groups as members of groups, but you must chase the
nesting. This is true if you use the memberOf attribute of the user or the
member attribute of the group. In both cases LDAP does not expose membership
in the "Primary" group.
The tokenGroups attribute of user objects is a multi-valued collection of
the Sids of groups the user belongs to. It includes the "primary" group and
all nested groups (except in other domains). It requires some code to
retrieve group names. Also, it doesn't help enumerate the membership of a
group.
A sample VBScript program to document group membership with a recursive
subroutine to chase the member attributes of the groups is linked here:
http://www.rlmueller.net/List%20Members%20of%20a%20Group.htm
The program also uses the primaryGroupToken attribute to reveal "primary"
group membership. The program uses a dictionary object to reveal duplicates
(a user is a member directly, and then again due to membership in a nested
group) and also to prevent an infinite loop if the nesting is circular.
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
.
- Prev by Date: Replacing a network card on workstation
- Next by Date: Password Expiration
- Previous by thread: Re: Querying AD Groups
- Next by thread: Internal External Domain Names
- Index(es):
Relevant Pages
|
