Re: LDP query for user groups nested?

Tech-Archive recommends: Fix windows errors by optimizing your registry

Yep, my memberof (http://www.joeware.net/win/free/tools/memberof.htm) command line tool will also enumerate the groups for a user like this as well. Entirely recursive.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Al Mulnick wrote:
It is painful. It is where script can be useful and your logic is correct that you need to query each additional group similar to this: http://www.rlmueller.net/Programs/EnumGroup.txt

I've since modified a version similar to this that's used for group memberships only i.e. query a group and ask it for all of its members and chase those membrs that are groups then munge. Found it useful for tracking and auditing group memberships to find out if low-level groups were being given permission via membership to high-level permissioned groups. Some very useful logic in the above link.

Anyhow, you can see the logic flow in the above example of a script. I haven't tested it across domains, but the concept should work just fine.


Al


"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:uwEFhaBiFHA.1048@xxxxxxxxxxxxxxxxxxxxxxx

No you can't recursively gather group memberships with a single query other than as Dean suggests using tokenGroups. Note that this will not chase into nesting into other domains.

Yes it is painful.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Eric - ARUP wrote:

Hello

Is it possible to query AD for a user to get the groups he is a member of, and if any of those groups are nested then also return those uplevel groups as well.

Currently testing this we query the user and get his memberOf, but unless we query each group we dont get the uplevel groups for those that are nested without a seperate query.

thanks
e- 



.

Relevant Pages

  • Re: UserAccountControl Attribute
    ... I hope this doesn't make your head spin...when I stated "missing" I meant ... Your suggestion that the "memberof" attribute would have no value if the ... specific user objects (enabled user accounts) that appear to be missing ... found is all the user accounts that are found by the query have a count ...
    (microsoft.public.win2000.active_directory)
  • Re: LDAP Search for memberOf zero returns
    ... Domain Admins by itself is the value of both the "name" ... > value the schema defines for the memberOf attribute. ... > have to refresh the query object after you change the query. ... > Windows Server Content Group, ...
    (microsoft.public.windows.server.active_directory)
  • Re: UserAccountControl Attribute
    ... The LDAP query is running against AD...asking for the parameters ... Your suggestion that the "memberof" attribute would have no value if the ... specific user objects (enabled user accounts) that appear to be missing ... foreach (string parameter in Parameters) ...
    (microsoft.public.win2000.active_directory)
  • Re: LDAP Search for memberOf zero returns
    ... Domain Admins by itself is the value of both the "name" ... value the schema defines for the memberOf attribute. ... have to refresh the query object after you change the query. ... Windows Server Content Group, Microsoft Corporation ...
    (microsoft.public.windows.server.active_directory)
  • Re: Script the removal of the group memberships of all disabled users in AD?
    ... You can use ADO to retrieve all disabled users, using the query Joe gave. ... and returning the memberof attribute at the same time. ...
    (microsoft.public.windows.server.active_directory)