find members of another domain in a DL group (VBscript)

Hi,

When I look in the members tab on a DL-group in the AD-console I see all members including the ones from another domain.
But when I try to list all members of that same group via a vbscript I don't see the users from the other domain?

How can I query these users as well?

Here is a testenvironment I used

Domain A:
-Group "DL_Test002"
-User "smurf"

Domain B:
- User "smurfin"

Group "DL_Test002" members:
- "smurf"
- "smurfin"


used script:

groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)

Call LoadMembers(objADObject)

Sub LoadMembers(ByVal ADObject)
	colstrMembers = ADObject.member

    If (IsEmpty(colstrMembers) = True) Then
        Exit sub
    End If

    If (TypeName(colstrMembers) = "String") Then
        colstrMembers = Replace(colstrMembers, "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrMembers)
		WScript.Echo "	MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
        Exit Sub
    End If

    For j = 0 To UBound(colstrMembers)
        colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrMembers(j))
		WScript.Echo "	member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
    Next
End Sub

Open in new window



Output:

Getting members of: CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global
      member of: DL_Test002 ->
      member of: DL_Test002 -> smurf

It seems to find a blanco user? which is the user from the other domain (smurfin)


Expected output:

Getting members of: CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global
      member of: DL_Test002 -> smurfin
      member of: DL_Test002 -> smurf


      
In AD-console (AD users & computers) I can see both users as member of the group


Regards
LVL 3
joachim.claeys@teleatlas.comAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rogerardCommented:
Add (dc=a) or !(dc=b) to you filter.
0
joachim.claeys@teleatlas.comAuthor Commented:
How do I add this filter exactly?
0
rogerardCommented:
Scratch what I said previously.

After further research, Microsoft says that you need to search the global catalog to include multiple (forest-wide) domains in your results.  To accomplish that, replace LDAP with GC in line 3.
See http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

joachim.claeys@teleatlas.comAuthor Commented:
I tried that already but that doesn't work because the 2 domains we're  using are not in the same forest but in 2 different ones :(

0
rogerardCommented:
Ok.  It looks like you're going to have to search each forest to get all of the results.
0
joachim.claeys@teleatlas.comAuthor Commented:
That's what I allready do but I can't get the users from "Domain B" in a group of "Domain A" and visa versa.
which I can see via the AD users & computers console.

And If I try to go the other way arround starting from a user and see what groups they are member of I cant see that a user from "Domain A" is member of a group in "Domain B" and visa versa even not via the AD users & computers console.
0
rogerardCommented:
Maybe you could reverse engineer your query.  Instead of trying to search a group's "members" for users, search for user's "memberof" for the group?  
0
joachim.claeys@teleatlas.comAuthor Commented:
That's what I tried first but then I get even less information. I don't get the group membership of the other domain at all.
(also not via the AD users & computers console).

Working via the groups I get at least empty users which are clearly the users of the other domain.
0
joachim.claeys@teleatlas.comAuthor Commented:
hi,

I just want to share that I found a solution.

The empty user objects seems not to be empty at all but they just don't have the attribute "sAMAccountName"
but the members in the membercollection (which are Distinguished Names) contains the objectSID of the user in the other domain.
and so I can bind to the userobject and get its name.
I can easily filter out the users from the other domain because they all have a referrer located in a container "ForeignSecurityPrincipals"  

I solved it with an extra function "FilterDN" (see solution below)


groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)

Call LoadMembers(objADObject)

Sub LoadMembers(ByVal ADObject)
	colstrMembers = ADObject.member

    If (IsEmpty(colstrMembers) = True) Then
        Exit sub
    End If

    If (TypeName(colstrMembers) = "String") Then
        colstrMembers = Replace(colstrMembers, "/", "\/")
        Set objGroup = GetObject("LDAP://" & FilterDN(colstrMembers))
		WScript.Echo "	MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
        Exit Sub
    End If

    For j = 0 To UBound(colstrMembers)
        colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & FilterDN(colstrMembers(j)))
		WScript.Echo "	member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
    Next
End Sub

Function FilterDN(strDN)
    If InStr(strDN,"ForeignSecurityPrincipals") > 0 Then
    	strDN = Trim(Left(strDN,InStr(strDN,",")-1))
    	strDN = Trim(Mid(strDN,InStr(strDN,"=")+1))
    	strDN = "<SID=" & strDN & ">"
	End If
	FilterDN = strDN
End Function

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rogerardCommented:
Good detective work!  The thought had occurred to me that maybe you could cross-reference on a different field, but because I didn't have a way to test my theory, I was hesitant to post.
Good job!
0
joachim.claeys@teleatlas.comAuthor Commented:
Solved
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VB Script

From novice to tech pro — start learning today.