Solved

find members of another domain in a DL group (VBscript)

Posted on 2010-11-09
11
1,205 Views
Last Modified: 2012-05-10
Hi,

When I look in the members tab on a DL-group in the AD-console I see all members including the ones from another domain.
But when I try to list all members of that same group via a vbscript I don't see the users from the other domain?

How can I query these users as well?

Here is a testenvironment I used

Domain A:
-Group "DL_Test002"
-User "smurf"

Domain B:
- User "smurfin"

Group "DL_Test002" members:
- "smurf"
- "smurfin"


used script:

groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)

Call LoadMembers(objADObject)

Sub LoadMembers(ByVal ADObject)
	colstrMembers = ADObject.member

    If (IsEmpty(colstrMembers) = True) Then
        Exit sub
    End If

    If (TypeName(colstrMembers) = "String") Then
        colstrMembers = Replace(colstrMembers, "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrMembers)
		WScript.Echo "	MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
        Exit Sub
    End If

    For j = 0 To UBound(colstrMembers)
        colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrMembers(j))
		WScript.Echo "	member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
    Next
End Sub

Open in new window



Output:

Getting members of: CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global
      member of: DL_Test002 ->
      member of: DL_Test002 -> smurf

It seems to find a blanco user? which is the user from the other domain (smurfin)


Expected output:

Getting members of: CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global
      member of: DL_Test002 -> smurfin
      member of: DL_Test002 -> smurf


      
In AD-console (AD users & computers) I can see both users as member of the group


Regards
0
Comment
  • 6
  • 5
11 Comments
 
LVL 7

Expert Comment

by:rogerard
ID: 34103029
Add (dc=a) or !(dc=b) to you filter.
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34134354
How do I add this filter exactly?
0
 
LVL 7

Expert Comment

by:rogerard
ID: 34136515
Scratch what I said previously.

After further research, Microsoft says that you need to search the global catalog to include multiple (forest-wide) domains in your results.  To accomplish that, replace LDAP with GC in line 3.
See http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34136722
I tried that already but that doesn't work because the 2 domains we're  using are not in the same forest but in 2 different ones :(

0
 
LVL 7

Expert Comment

by:rogerard
ID: 34137237
Ok.  It looks like you're going to have to search each forest to get all of the results.
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34137383
That's what I allready do but I can't get the users from "Domain B" in a group of "Domain A" and visa versa.
which I can see via the AD users & computers console.

And If I try to go the other way arround starting from a user and see what groups they are member of I cant see that a user from "Domain A" is member of a group in "Domain B" and visa versa even not via the AD users & computers console.
0
 
LVL 7

Expert Comment

by:rogerard
ID: 34137535
Maybe you could reverse engineer your query.  Instead of trying to search a group's "members" for users, search for user's "memberof" for the group?  
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34143130
That's what I tried first but then I get even less information. I don't get the group membership of the other domain at all.
(also not via the AD users & computers console).

Working via the groups I get at least empty users which are clearly the users of the other domain.
0
 
LVL 3

Accepted Solution

by:
joachim.claeys@teleatlas.com earned 0 total points
ID: 34155467
hi,

I just want to share that I found a solution.

The empty user objects seems not to be empty at all but they just don't have the attribute "sAMAccountName"
but the members in the membercollection (which are Distinguished Names) contains the objectSID of the user in the other domain.
and so I can bind to the userobject and get its name.
I can easily filter out the users from the other domain because they all have a referrer located in a container "ForeignSecurityPrincipals"  

I solved it with an extra function "FilterDN" (see solution below)


groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)

Call LoadMembers(objADObject)

Sub LoadMembers(ByVal ADObject)
	colstrMembers = ADObject.member

    If (IsEmpty(colstrMembers) = True) Then
        Exit sub
    End If

    If (TypeName(colstrMembers) = "String") Then
        colstrMembers = Replace(colstrMembers, "/", "\/")
        Set objGroup = GetObject("LDAP://" & FilterDN(colstrMembers))
		WScript.Echo "	MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
        Exit Sub
    End If

    For j = 0 To UBound(colstrMembers)
        colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & FilterDN(colstrMembers(j)))
		WScript.Echo "	member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
    Next
End Sub

Function FilterDN(strDN)
    If InStr(strDN,"ForeignSecurityPrincipals") > 0 Then
    	strDN = Trim(Left(strDN,InStr(strDN,",")-1))
    	strDN = Trim(Mid(strDN,InStr(strDN,"=")+1))
    	strDN = "<SID=" & strDN & ">"
	End If
	FilterDN = strDN
End Function

Open in new window

0
 
LVL 7

Expert Comment

by:rogerard
ID: 34155504
Good detective work!  The thought had occurred to me that maybe you could cross-reference on a different field, but because I didn't have a way to test my theory, I was hesitant to post.
Good job!
0
 
LVL 3

Author Closing Comment

by:joachim.claeys@teleatlas.com
ID: 34186361
Solved
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question