?
Solved

find members of another domain in a DL group (VBscript)

Posted on 2010-11-09
11
Medium Priority
?
1,240 Views
Last Modified: 2012-05-10
Hi,

When I look in the members tab on a DL-group in the AD-console I see all members including the ones from another domain.
But when I try to list all members of that same group via a vbscript I don't see the users from the other domain?

How can I query these users as well?

Here is a testenvironment I used

Domain A:
-Group "DL_Test002"
-User "smurf"

Domain B:
- User "smurfin"

Group "DL_Test002" members:
- "smurf"
- "smurfin"


used script:

groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)

Call LoadMembers(objADObject)

Sub LoadMembers(ByVal ADObject)
	colstrMembers = ADObject.member

    If (IsEmpty(colstrMembers) = True) Then
        Exit sub
    End If

    If (TypeName(colstrMembers) = "String") Then
        colstrMembers = Replace(colstrMembers, "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrMembers)
		WScript.Echo "	MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
        Exit Sub
    End If

    For j = 0 To UBound(colstrMembers)
        colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrMembers(j))
		WScript.Echo "	member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
    Next
End Sub

Open in new window



Output:

Getting members of: CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global
      member of: DL_Test002 ->
      member of: DL_Test002 -> smurf

It seems to find a blanco user? which is the user from the other domain (smurfin)


Expected output:

Getting members of: CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global
      member of: DL_Test002 -> smurfin
      member of: DL_Test002 -> smurf


      
In AD-console (AD users & computers) I can see both users as member of the group


Regards
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 7

Expert Comment

by:rogerard
ID: 34103029
Add (dc=a) or !(dc=b) to you filter.
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34134354
How do I add this filter exactly?
0
 
LVL 7

Expert Comment

by:rogerard
ID: 34136515
Scratch what I said previously.

After further research, Microsoft says that you need to search the global catalog to include multiple (forest-wide) domains in your results.  To accomplish that, replace LDAP with GC in line 3.
See http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34136722
I tried that already but that doesn't work because the 2 domains we're  using are not in the same forest but in 2 different ones :(

0
 
LVL 7

Expert Comment

by:rogerard
ID: 34137237
Ok.  It looks like you're going to have to search each forest to get all of the results.
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34137383
That's what I allready do but I can't get the users from "Domain B" in a group of "Domain A" and visa versa.
which I can see via the AD users & computers console.

And If I try to go the other way arround starting from a user and see what groups they are member of I cant see that a user from "Domain A" is member of a group in "Domain B" and visa versa even not via the AD users & computers console.
0
 
LVL 7

Expert Comment

by:rogerard
ID: 34137535
Maybe you could reverse engineer your query.  Instead of trying to search a group's "members" for users, search for user's "memberof" for the group?  
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34143130
That's what I tried first but then I get even less information. I don't get the group membership of the other domain at all.
(also not via the AD users & computers console).

Working via the groups I get at least empty users which are clearly the users of the other domain.
0
 
LVL 3

Accepted Solution

by:
joachim.claeys@teleatlas.com earned 0 total points
ID: 34155467
hi,

I just want to share that I found a solution.

The empty user objects seems not to be empty at all but they just don't have the attribute "sAMAccountName"
but the members in the membercollection (which are Distinguished Names) contains the objectSID of the user in the other domain.
and so I can bind to the userobject and get its name.
I can easily filter out the users from the other domain because they all have a referrer located in a container "ForeignSecurityPrincipals"  

I solved it with an extra function "FilterDN" (see solution below)


groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)

Call LoadMembers(objADObject)

Sub LoadMembers(ByVal ADObject)
	colstrMembers = ADObject.member

    If (IsEmpty(colstrMembers) = True) Then
        Exit sub
    End If

    If (TypeName(colstrMembers) = "String") Then
        colstrMembers = Replace(colstrMembers, "/", "\/")
        Set objGroup = GetObject("LDAP://" & FilterDN(colstrMembers))
		WScript.Echo "	MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
        Exit Sub
    End If

    For j = 0 To UBound(colstrMembers)
        colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & FilterDN(colstrMembers(j)))
		WScript.Echo "	member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
    Next
End Sub

Function FilterDN(strDN)
    If InStr(strDN,"ForeignSecurityPrincipals") > 0 Then
    	strDN = Trim(Left(strDN,InStr(strDN,",")-1))
    	strDN = Trim(Mid(strDN,InStr(strDN,"=")+1))
    	strDN = "<SID=" & strDN & ">"
	End If
	FilterDN = strDN
End Function

Open in new window

0
 
LVL 7

Expert Comment

by:rogerard
ID: 34155504
Good detective work!  The thought had occurred to me that maybe you could cross-reference on a different field, but because I didn't have a way to test my theory, I was hesitant to post.
Good job!
0
 
LVL 3

Author Closing Comment

by:joachim.claeys@teleatlas.com
ID: 34186361
Solved
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question