?
Solved

list active directory group members

Posted on 2006-05-22
12
Medium Priority
?
774 Views
Last Modified: 2007-12-19
Hi guys,

Im using this code to display the members of a specified group:
Sub PullAllUserFromGroup(strDomain,strGroup)
    Dim Group
    Dim User
    Set Group = GetObject("WinNT://" & strDomain & "/" & strGroup & ",group")
    For Each User in Group.Members
      Response.Write User.Name
    Next
  End Sub

This works fine except it only displays those users if they are in the same domain that the group is in.  For example the group is in Domain1.  If a user is also in Domain1 and belongs to the specified group then they will displayed.  However if the user is in Domain2 it will not display them?!

Please help!!
0
Comment
Question by:NovoNordisk
  • 7
  • 5
12 Comments
 
LVL 7

Expert Comment

by:Inteqam
ID: 16734236
IF there exists a trust between two domains that are not in the same forest, user or groups that are members of groups from other domains must have an
associated Foreign Security Principal object in the trusting domain.  THis makes the search much easiar, you can convert the SID of the user or group are are
looking for members of into an SDDL sid, then search the Foreign Security Principal container for a matching CN.  If you find a matching CN, retrieve the
MemberOf attribute and that will give you a basis for groups within that domain.  The MemberOf attribute will contain the the FSP's direct membership.


This does not work for domains with a transitive trust within the same forest.  These domains share the a GC, thus the groups membership should have a
referecence in the memberof attribute ( DN that gives you a path to follow).


The key is to enumerate the trust relationships and try to locate FSPs in trusted domains and DNs within the forest.  You can use DsEnumerateDomainTrusts
to retreive domain trust information from a given server.


Max Vaughn [MS]
Microsoft Developer Support
0
 
LVL 8

Author Comment

by:NovoNordisk
ID: 16734263
Are you able to give me an example of how to do this??
0
 
LVL 7

Accepted Solution

by:
Inteqam earned 2000 total points
ID: 16734354
Check

http://adsi.mvps.org/adsi/CSharp/beavertail.html

 OR


' ------ SCRIPT CONFIGURATION ------
strGroupDN = "<GroupDN>"  ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

strSpaces  = " "
set dicSeenGroupMember = CreateObject("Scripting.Dictionary")
Wscript.Echo "Members of " & strGroupDN & ":"
DisplayMembers "LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember

Function DisplayMembers ( strGroupADsPath, strSpaces, dicSeenGroupMember)

   set objGroup = GetObject(strGroupADsPath)
   for each objMember In objGroup.Members
      Wscript.Echo strSpaces & objMember.Name
      if objMember.Class = "group" then
         if dicSeenGroupMember.Exists(objMember.ADsPath) then
            Wscript.Echo strSpaces & "   ^ already seen group member " & _
                                     "(stopping to avoid loop)"
         else
            dicSeenGroupMember.Add objMember.ADsPath, 1
            DisplayMembers objMember.ADsPath, strSpaces & " ", _
                           dicSeenGroupMember
         end if
      end if
   next

End Function
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 8

Author Comment

by:NovoNordisk
ID: 16734370
Is there a way to dynamically find out the DN on the group because the group is not always in the same container as the rest of them!!
0
 
LVL 7

Expert Comment

by:Inteqam
ID: 16734427
didn't get you
0
 
LVL 8

Author Comment

by:NovoNordisk
ID: 16734470
Ignore my last post.  

I have got your code working but it still has the problem of only displaying members in the same domain as the group??
0
 
LVL 7

Expert Comment

by:Inteqam
ID: 16734538
0
 
LVL 8

Author Comment

by:NovoNordisk
ID: 16734554
I think I have this working now but I also need to know for each user what domain they belong too - can that be added into the code as well??
0
 
LVL 7

Expert Comment

by:Inteqam
ID: 16734587
0
 
LVL 8

Author Comment

by:NovoNordisk
ID: 16734599
ah not to worry -  objMember.distinguishedName returns all the info I need.  Thanks so much for your help!!
0
 
LVL 7

Expert Comment

by:Inteqam
ID: 16734721
no problem,
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question