Solved

How to query all AD groups for one account?

Posted on 2012-03-22
4
526 Views
Last Modified: 2012-06-27
Points of My Scenario:
1. There are 2 domains in separate forests - Domain-A & Domain-B
2. I am admin of Domain-A only (Windows Server 2003)
3. Domain-A trusts Domain-B (one-way only)
4. 'User-b' from Domain-B is in a number of domain-local groups in Domain-A
QUESTION: How can I query the AD of my Domain-A to find all the domain-local groups for which 'User-b' is a member?
0
Comment
Question by:waltforbes
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 37754109
First off, I recommend the Quest AD PowerShell cmdlets (if you don't have them already)...

http://www.quest.com/powershell/activeroles-server.aspx

Once you have that up and running, you can use the following to a) enumerate all domain local groups in Domain-A, and b) enumerate any members not from Domain-A.

$dlgrp = Get-QADGroup -SizeLimit 0 | where { $_.GroupScope -eq "DomainLocal" }
foreach($dlg in $dlgrp) { 
	$grp = $dlg.SamAccountName
	$grpfsp = Get-QADGroupMember -SizeLimit 0 $grp | 
                                   where { $_.NTAccountName -notmatch "Domain-A\\" }
	if($grpfsp -ne $null) { 
		Write-Host "Foreign Members of $grp"
		$grpfsp | select NTAccountName
		Write-Host "" 
	} 
}

Open in new window


If you want to only look for a particular user in Domain-B, then replace...
where { $_.NTAccountName -notmatch "Domain-A\\" }

Open in new window

...with...
where { $_.NTAccountName -match "NameOfUserFromDomain-B" }

Open in new window


I'm sure you'll see other possiblities here...
0
 

Author Comment

by:waltforbes
ID: 37754536
Netjgrnaut, this seems like a wonderful possibility...
Question: Should I use the distinguished names for "Domain-A\\" and "NameOfUserFromDomain-B"? If not, what format should I use?
0
 
LVL 6

Assisted Solution

by:netjgrnaut
netjgrnaut earned 500 total points
ID: 37754608
That's meant to be written to a file (listFSP.ps1, in my test) and run (without arguments - though adding some command-line options to specify domain would be a nice enhancement) from the Quest AD shell that you'll have after you install the tools.

If you're new to PowerShell, you'll need to do a little bit of first time setup in your environment, such as setting your script execution policy to allow your scripts to run.  Plenty of info out there about PowerShell basics... or just as questions here!

In the example provided, "Domain-A\\" is the NetBIOS name of the domain (not the FQDN or the LDAP-style DN).  "NameOfUserFromDomain-B" should be the SamAccountName (logon name, short form) of the Domin-B user you're looking for.  

This is because the script is -matching on NTAccountName, which is constructed by the Quest AD cmdlets in the Domain\UserName format.  

You can easilly re-write the script to use DNs or whatever.  You would need to change the $_.NTAccountName to $_.DN or whatever attribute you want to -match on, and change the -match target to "DC=Domain-B,DC=local" or whatever is appropriate for your environment.

This was an off-the-cuff method to do this.  If you were going to use this tool a lot, you'd want to build in arguments for a) domain or user-level query and b) domain or user to query for.

Assuming you have more than one Domain-B user in your collection of Domain-A Domain Local Groups, I'd recommend running the above script with the NetBIOS name of Domain-A as shown.  The output will be to screen, but you can easilly pipe it to file using either standard redirects (> outfile.txt) or the PowerShell Start-Transcript / Stop-Transcript cmdlets.

Hope that helps!
0
 

Author Closing Comment

by:waltforbes
ID: 37754929
Wow! It does the job well, Netjgrnaut! Many thanks!
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question