joachim.claeys@teleatlas.com
asked on
find members of another domain in a DL group (VBscript)
Hi,
When I look in the members tab on a DL-group in the AD-console I see all members including the ones from another domain.
But when I try to list all members of that same group via a vbscript I don't see the users from the other domain?
How can I query these users as well?
Here is a testenvironment I used
Domain A:
-Group "DL_Test002"
-User "smurf"
Domain B:
- User "smurfin"
Group "DL_Test002" members:
- "smurf"
- "smurfin"
used script:
Output:
It seems to find a blanco user? which is the user from the other domain (smurfin)
Expected output:
In AD-console (AD users & computers) I can see both users as member of the group
Regards
When I look in the members tab on a DL-group in the AD-console I see all members including the ones from another domain.
But when I try to list all members of that same group via a vbscript I don't see the users from the other domain?
How can I query these users as well?
Here is a testenvironment I used
Domain A:
-Group "DL_Test002"
-User "smurf"
Domain B:
- User "smurfin"
Group "DL_Test002" members:
- "smurf"
- "smurfin"
used script:
groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)
Call LoadMembers(objADObject)
Sub LoadMembers(ByVal ADObject)
colstrMembers = ADObject.member
If (IsEmpty(colstrMembers) = True) Then
Exit sub
End If
If (TypeName(colstrMembers) = "String") Then
colstrMembers = Replace(colstrMembers, "/", "\/")
Set objGroup = GetObject("LDAP://" & colstrMembers)
WScript.Echo " MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
Call LoadMembers(objGroup)
Exit Sub
End If
For j = 0 To UBound(colstrMembers)
colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
Set objGroup = GetObject("LDAP://" & colstrMembers(j))
WScript.Echo " member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
Call LoadMembers(objGroup)
Next
End Sub
Output:
Getting members of: CN=DL_Test002,OU=Groups,OU =Temp,DC=A ,DC=global
member of: DL_Test002 ->
member of: DL_Test002 -> smurf
member of: DL_Test002 ->
member of: DL_Test002 -> smurf
It seems to find a blanco user? which is the user from the other domain (smurfin)
Expected output:
Getting members of: CN=DL_Test002,OU=Groups,OU =Temp,DC=A ,DC=global
member of: DL_Test002 -> smurfin
member of: DL_Test002 -> smurf
member of: DL_Test002 -> smurfin
member of: DL_Test002 -> smurf
In AD-console (AD users & computers) I can see both users as member of the group
Regards
Add (dc=a) or !(dc=b) to you filter.
ASKER
How do I add this filter exactly?
Scratch what I said previously.
After further research, Microsoft says that you need to search the global catalog to include multiple (forest-wide) domains in your results. To accomplish that, replace LDAP with GC in line 3.
See http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx
After further research, Microsoft says that you need to search the global catalog to include multiple (forest-wide) domains in your results. To accomplish that, replace LDAP with GC in line 3.
See http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx
ASKER
I tried that already but that doesn't work because the 2 domains we're using are not in the same forest but in 2 different ones :(
Ok. It looks like you're going to have to search each forest to get all of the results.
ASKER
That's what I allready do but I can't get the users from "Domain B" in a group of "Domain A" and visa versa.
which I can see via the AD users & computers console.
And If I try to go the other way arround starting from a user and see what groups they are member of I cant see that a user from "Domain A" is member of a group in "Domain B" and visa versa even not via the AD users & computers console.
which I can see via the AD users & computers console.
And If I try to go the other way arround starting from a user and see what groups they are member of I cant see that a user from "Domain A" is member of a group in "Domain B" and visa versa even not via the AD users & computers console.
Maybe you could reverse engineer your query. Instead of trying to search a group's "members" for users, search for user's "memberof" for the group?
ASKER
That's what I tried first but then I get even less information. I don't get the group membership of the other domain at all.
(also not via the AD users & computers console).
Working via the groups I get at least empty users which are clearly the users of the other domain.
(also not via the AD users & computers console).
Working via the groups I get at least empty users which are clearly the users of the other domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good detective work! The thought had occurred to me that maybe you could cross-reference on a different field, but because I didn't have a way to test my theory, I was hesitant to post.
Good job!
Good job!
ASKER
Solved