Link to home
Start Free TrialLog in
Avatar of NovoNordisk
NovoNordisk

asked on

list active directory group members

Hi guys,

Im using this code to display the members of a specified group:
Sub PullAllUserFromGroup(strDomain,strGroup)
    Dim Group
    Dim User
    Set Group = GetObject("WinNT://" & strDomain & "/" & strGroup & ",group")
    For Each User in Group.Members
      Response.Write User.Name
    Next
  End Sub

This works fine except it only displays those users if they are in the same domain that the group is in.  For example the group is in Domain1.  If a user is also in Domain1 and belongs to the specified group then they will displayed.  However if the user is in Domain2 it will not display them?!

Please help!!
Avatar of Inteqam
Inteqam

IF there exists a trust between two domains that are not in the same forest, user or groups that are members of groups from other domains must have an
associated Foreign Security Principal object in the trusting domain.  THis makes the search much easiar, you can convert the SID of the user or group are are
looking for members of into an SDDL sid, then search the Foreign Security Principal container for a matching CN.  If you find a matching CN, retrieve the
MemberOf attribute and that will give you a basis for groups within that domain.  The MemberOf attribute will contain the the FSP's direct membership.


This does not work for domains with a transitive trust within the same forest.  These domains share the a GC, thus the groups membership should have a
referecence in the memberof attribute ( DN that gives you a path to follow).


The key is to enumerate the trust relationships and try to locate FSPs in trusted domains and DNs within the forest.  You can use DsEnumerateDomainTrusts
to retreive domain trust information from a given server.


Max Vaughn [MS]
Microsoft Developer Support
Avatar of NovoNordisk

ASKER

Are you able to give me an example of how to do this??
ASKER CERTIFIED SOLUTION
Avatar of Inteqam
Inteqam

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Is there a way to dynamically find out the DN on the group because the group is not always in the same container as the rest of them!!
didn't get you
Ignore my last post.  

I have got your code working but it still has the problem of only displaying members in the same domain as the group??
I think I have this working now but I also need to know for each user what domain they belong too - can that be added into the code as well??
ah not to worry -  objMember.distinguishedName returns all the info I need.  Thanks so much for your help!!
no problem,