Solved

find members of another domain in a DL group (VBscript)

Posted on 2010-11-09
11
1,231 Views
Last Modified: 2012-05-10
Hi,

When I look in the members tab on a DL-group in the AD-console I see all members including the ones from another domain.
But when I try to list all members of that same group via a vbscript I don't see the users from the other domain?

How can I query these users as well?

Here is a testenvironment I used

Domain A:
-Group "DL_Test002"
-User "smurf"

Domain B:
- User "smurfin"

Group "DL_Test002" members:
- "smurf"
- "smurfin"


used script:

groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)

Call LoadMembers(objADObject)

Sub LoadMembers(ByVal ADObject)
	colstrMembers = ADObject.member

    If (IsEmpty(colstrMembers) = True) Then
        Exit sub
    End If

    If (TypeName(colstrMembers) = "String") Then
        colstrMembers = Replace(colstrMembers, "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrMembers)
		WScript.Echo "	MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
        Exit Sub
    End If

    For j = 0 To UBound(colstrMembers)
        colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrMembers(j))
		WScript.Echo "	member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
    Next
End Sub

Open in new window



Output:

Getting members of: CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global
      member of: DL_Test002 ->
      member of: DL_Test002 -> smurf

It seems to find a blanco user? which is the user from the other domain (smurfin)


Expected output:

Getting members of: CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global
      member of: DL_Test002 -> smurfin
      member of: DL_Test002 -> smurf


      
In AD-console (AD users & computers) I can see both users as member of the group


Regards
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 7

Expert Comment

by:rogerard
ID: 34103029
Add (dc=a) or !(dc=b) to you filter.
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34134354
How do I add this filter exactly?
0
 
LVL 7

Expert Comment

by:rogerard
ID: 34136515
Scratch what I said previously.

After further research, Microsoft says that you need to search the global catalog to include multiple (forest-wide) domains in your results.  To accomplish that, replace LDAP with GC in line 3.
See http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34136722
I tried that already but that doesn't work because the 2 domains we're  using are not in the same forest but in 2 different ones :(

0
 
LVL 7

Expert Comment

by:rogerard
ID: 34137237
Ok.  It looks like you're going to have to search each forest to get all of the results.
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34137383
That's what I allready do but I can't get the users from "Domain B" in a group of "Domain A" and visa versa.
which I can see via the AD users & computers console.

And If I try to go the other way arround starting from a user and see what groups they are member of I cant see that a user from "Domain A" is member of a group in "Domain B" and visa versa even not via the AD users & computers console.
0
 
LVL 7

Expert Comment

by:rogerard
ID: 34137535
Maybe you could reverse engineer your query.  Instead of trying to search a group's "members" for users, search for user's "memberof" for the group?  
0
 
LVL 3

Author Comment

by:joachim.claeys@teleatlas.com
ID: 34143130
That's what I tried first but then I get even less information. I don't get the group membership of the other domain at all.
(also not via the AD users & computers console).

Working via the groups I get at least empty users which are clearly the users of the other domain.
0
 
LVL 3

Accepted Solution

by:
joachim.claeys@teleatlas.com earned 0 total points
ID: 34155467
hi,

I just want to share that I found a solution.

The empty user objects seems not to be empty at all but they just don't have the attribute "sAMAccountName"
but the members in the membercollection (which are Distinguished Names) contains the objectSID of the user in the other domain.
and so I can bind to the userobject and get its name.
I can easily filter out the users from the other domain because they all have a referrer located in a container "ForeignSecurityPrincipals"  

I solved it with an extra function "FilterDN" (see solution below)


groupDN = "CN=DL_Test002,OU=Groups,OU=Temp,DC=A,DC=global"
WScript.Echo "Getting members of: " & groupDN
Set objADObject = GetObject("LDAP://" & groupDN)

Call LoadMembers(objADObject)

Sub LoadMembers(ByVal ADObject)
	colstrMembers = ADObject.member

    If (IsEmpty(colstrMembers) = True) Then
        Exit sub
    End If

    If (TypeName(colstrMembers) = "String") Then
        colstrMembers = Replace(colstrMembers, "/", "\/")
        Set objGroup = GetObject("LDAP://" & FilterDN(colstrMembers))
		WScript.Echo "	MEMBER of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
        Exit Sub
    End If

    For j = 0 To UBound(colstrMembers)
        colstrMembers(j) = Replace(colstrMembers(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & FilterDN(colstrMembers(j)))
		WScript.Echo "	member of: " & ADObject.sAMAccountName & " > " & objGroup.sAMAccountName
        Call LoadMembers(objGroup)
    Next
End Sub

Function FilterDN(strDN)
    If InStr(strDN,"ForeignSecurityPrincipals") > 0 Then
    	strDN = Trim(Left(strDN,InStr(strDN,",")-1))
    	strDN = Trim(Mid(strDN,InStr(strDN,"=")+1))
    	strDN = "<SID=" & strDN & ">"
	End If
	FilterDN = strDN
End Function

Open in new window

0
 
LVL 7

Expert Comment

by:rogerard
ID: 34155504
Good detective work!  The thought had occurred to me that maybe you could cross-reference on a different field, but because I didn't have a way to test my theory, I was hesitant to post.
Good job!
0
 
LVL 3

Author Closing Comment

by:joachim.claeys@teleatlas.com
ID: 34186361
Solved
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question