lancejackson
asked on
Is there a way to view Active Directory group membership of a user account from a seperate, but trusted forest?
I apologize for the complexity and wordiness of this issue in advance.
Due to the purchase of our company, by our (now) parent company, we have migrated all of our users from our original domain (let's call it OLDDOMAIN) to brand new accounts in corporate's domain (let's call it NEWDOMAIN). These domains are in different forests, but have a trust with each other. Keep in mind the migration for user accounts is complete, and we are currently employing the pre-existing OLDDOMAIN security groups in order to maintain file and print access. The way we did this was to change the established groups to Domain Local, then remove the members' OLDDOMAIN user accounts, and replace them with the members' NEWDOMAIN accounts. This was done in an effort to keep the groups from having 2 entries per user (1 for OLDDOMAIN and 1 for NEWDOMAIN).
My dilemma is that managers are constantly requesting that we copy an exisitng person's access to a new hire. When looking at the "Member Of" tab for each NEWDOMAIN account using the Active Directory Users and Computers tool in the NEWDOMAIN, we can only see the Security Groups the user belongs to in the NEWDOMAIN. Also, seeing as the OLDDOMAIN accounts were removed from the security groups, we have to open the properties of each and every group in the OLDDOMAIN and look for the NEWDOMAIN user account name. This is not feasible, at all, due to the sheer number of groups in the OLDDOMAIN.
My question is, "Is there any way to see which OLDDOMAIN security groups a NEWDOMAIN account is a member of without checking each OLDDOMAIN Security Group individually?" I can't seem to find a tool that will perform an appropriate query or populate the Active Directory Users and Computers tool with a cross-forest "Member Of" tab for user accounts.
Due to the purchase of our company, by our (now) parent company, we have migrated all of our users from our original domain (let's call it OLDDOMAIN) to brand new accounts in corporate's domain (let's call it NEWDOMAIN). These domains are in different forests, but have a trust with each other. Keep in mind the migration for user accounts is complete, and we are currently employing the pre-existing OLDDOMAIN security groups in order to maintain file and print access. The way we did this was to change the established groups to Domain Local, then remove the members' OLDDOMAIN user accounts, and replace them with the members' NEWDOMAIN accounts. This was done in an effort to keep the groups from having 2 entries per user (1 for OLDDOMAIN and 1 for NEWDOMAIN).
My dilemma is that managers are constantly requesting that we copy an exisitng person's access to a new hire. When looking at the "Member Of" tab for each NEWDOMAIN account using the Active Directory Users and Computers tool in the NEWDOMAIN, we can only see the Security Groups the user belongs to in the NEWDOMAIN. Also, seeing as the OLDDOMAIN accounts were removed from the security groups, we have to open the properties of each and every group in the OLDDOMAIN and look for the NEWDOMAIN user account name. This is not feasible, at all, due to the sheer number of groups in the OLDDOMAIN.
My question is, "Is there any way to see which OLDDOMAIN security groups a NEWDOMAIN account is a member of without checking each OLDDOMAIN Security Group individually?" I can't seem to find a tool that will perform an appropriate query or populate the Active Directory Users and Computers tool with a cross-forest "Member Of" tab for user accounts.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Anything that uses ldap, basically - you can do a group membership search on the remote server using trusted credentials.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx
Or ADSI Scriptomatic?
http://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx
HTH,
Kent