Is there a way to view Active Directory group membership of a user account from a seperate, but trusted forest?

lancejackson
lancejackson used Ask the Experts™
on
I apologize for the complexity and wordiness of this issue in advance.  

Due to the purchase of our company, by our (now) parent company, we have migrated all of our users from our original domain (let's call it OLDDOMAIN) to brand new accounts in corporate's domain (let's call it NEWDOMAIN).  These domains are in different forests, but have a trust with each other.  Keep in mind the migration for user accounts is complete, and we are currently employing the pre-existing OLDDOMAIN security groups in order to maintain file and print access.  The way we did this was to change the established groups to Domain Local, then remove the members' OLDDOMAIN user accounts, and replace them with the members' NEWDOMAIN accounts.  This was done in an effort to keep the groups from having 2 entries per user (1 for OLDDOMAIN and 1 for NEWDOMAIN).  

My dilemma is that managers are constantly requesting that we copy an exisitng person's access to a new hire.  When  looking at the "Member Of" tab for each NEWDOMAIN account using the Active Directory Users and Computers tool in the NEWDOMAIN, we can only see the Security Groups the user belongs to in the NEWDOMAIN.  Also, seeing as the OLDDOMAIN accounts were removed from the security groups, we have to open the properties of each and every group in the OLDDOMAIN and look for the NEWDOMAIN user account name.  This is not feasible, at all, due to the sheer number of groups in the OLDDOMAIN.  

My question is, "Is there any way to see which OLDDOMAIN security groups a NEWDOMAIN account is a member of without checking each OLDDOMAIN Security Group individually?"  I can't seem to find a tool that will perform an appropriate query or populate the Active Directory Users and Computers tool with a cross-forest "Member Of" tab for user accounts.  
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kent DyerIT Security Analyst Senior

Commented:
Senior Systems Admin
Top Expert 2010
Commented:
You can only view the group membership of a user in their local domain. You can view the memberships of the groups in the old domain, but you have to access the member list of the group to do so. Realistically, the best way to handle your situation would be to create Global groups in the New domain that matches the Domain Local groups in the old domain, then make those Global groups members of the Domain Local groups in the old domain. This is known as the AGDLP group management strategy. That way, you can look at the users in the New domain and see which groups they are in that are tied to the old domain.
Dave HoweSoftware and Hardware Engineer

Commented:
Anything that uses ldap, basically - you can do a group membership search on the remote server using trusted credentials.
Awarded 2009
Top Expert 2010

Commented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial