Solved

find members of another domain in a DL group (VBscript)

Posted on 2010-11-09
11
1,189 Views
Last Modified: 2012-05-10
Hi,

When I look in the members tab on a DL-group in the AD-console I see all members including the ones from another domain.
But when I try to list all members of that same group via a vbscript I don't see the users from the other domain?

How can I query these users as well?

Here is a testenvironment I used

Domain A:
-Group "DL_Test002"
-User "smurf"

Domain B:
- User "smurfin"

Group "DL_Test002" members:
- "smurf"
- "smurfin"


used script:

groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)

Call LoadMembers(objADObject)

Sub LoadMembers(ByVal ADObject)
	colstrMembers = ADObject.member

    If (IsEmpty(colstrMembers) = True) Then
        Exit sub
    End If

    If (TypeName(colstrMembers) = "String") Then
        colstrMembers = Replace(colstrMembers, "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrMembers)
		WScript.Echo "	MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
        Exit Sub
    End If

    For j = 0 To UBound(colstrMembers)
        colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrMembers(j))
		WScript.Echo "	member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
    Next
End Sub

Open in new window



Output:

Getting members of: CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global
      member of: DL_Test002 ->
      member of: DL_Test002 -> smurf

It seems to find a blanco user? which is the user from the other domain (smurfin)


Expected output:

Getting members of: CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global
      member of: DL_Test002 -> smurfin
      member of: DL_Test002 -> smurf


      
In AD-console (AD users & computers) I can see both users as member of the group


Regards
0
Comment
  • 6
  • 5
11 Comments
 
LVL 7

Expert Comment

by:rogerard
ID: 34103029
Add (dc=a) or !(dc=b) to you filter.
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34134354
How do I add this filter exactly?
0
 
LVL 7

Expert Comment

by:rogerard
ID: 34136515
Scratch what I said previously.

After further research, Microsoft says that you need to search the global catalog to include multiple (forest-wide) domains in your results.  To accomplish that, replace LDAP with GC in line 3.
See http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34136722
I tried that already but that doesn't work because the 2 domains we're  using are not in the same forest but in 2 different ones :(

0
 
LVL 7

Expert Comment

by:rogerard
ID: 34137237
Ok.  It looks like you're going to have to search each forest to get all of the results.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34137383
That's what I allready do but I can't get the users from "Domain B" in a group of "Domain A" and visa versa.
which I can see via the AD users & computers console.

And If I try to go the other way arround starting from a user and see what groups they are member of I cant see that a user from "Domain A" is member of a group in "Domain B" and visa versa even not via the AD users & computers console.
0
 
LVL 7

Expert Comment

by:rogerard
ID: 34137535
Maybe you could reverse engineer your query.  Instead of trying to search a group's "members" for users, search for user's "memberof" for the group?  
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34143130
That's what I tried first but then I get even less information. I don't get the group membership of the other domain at all.
(also not via the AD users & computers console).

Working via the groups I get at least empty users which are clearly the users of the other domain.
0
 
LVL 3

Accepted Solution

by:
joachim.claeys@teleatlas.com earned 0 total points
ID: 34155467
hi,

I just want to share that I found a solution.

The empty user objects seems not to be empty at all but they just don't have the attribute "sAMAccountName"
but the members in the membercollection (which are Distinguished Names) contains the objectSID of the user in the other domain.
and so I can bind to the userobject and get its name.
I can easily filter out the users from the other domain because they all have a referrer located in a container "ForeignSecurityPrincipals"  

I solved it with an extra function "FilterDN" (see solution below)


groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)

Call LoadMembers(objADObject)

Sub LoadMembers(ByVal ADObject)
	colstrMembers = ADObject.member

    If (IsEmpty(colstrMembers) = True) Then
        Exit sub
    End If

    If (TypeName(colstrMembers) = "String") Then
        colstrMembers = Replace(colstrMembers, "/", "\/")
        Set objGroup = GetObject("LDAP://" & FilterDN(colstrMembers))
		WScript.Echo "	MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
        Exit Sub
    End If

    For j = 0 To UBound(colstrMembers)
        colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & FilterDN(colstrMembers(j)))
		WScript.Echo "	member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
    Next
End Sub

Function FilterDN(strDN)
    If InStr(strDN,"ForeignSecurityPrincipals") > 0 Then
    	strDN = Trim(Left(strDN,InStr(strDN,",")-1))
    	strDN = Trim(Mid(strDN,InStr(strDN,"=")+1))
    	strDN = "<SID=" & strDN & ">"
	End If
	FilterDN = strDN
End Function

Open in new window

0
 
LVL 7

Expert Comment

by:rogerard
ID: 34155504
Good detective work!  The thought had occurred to me that maybe you could cross-reference on a different field, but because I didn't have a way to test my theory, I was hesitant to post.
Good job!
0
 
LVL 3

Author Closing Comment

by:joachim.claeys@teleatlas.com
ID: 34186361
Solved
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now