How to query all AD groups for one account?

Points of My Scenario:
1. There are 2 domains in separate forests - Domain-A & Domain-B
2. I am admin of Domain-A only (Windows Server 2003)
3. Domain-A trusts Domain-B (one-way only)
4. 'User-b' from Domain-B is in a number of domain-local groups in Domain-A
QUESTION: How can I query the AD of my Domain-A to find all the domain-local groups for which 'User-b' is a member?
waltforbesSenior IT SpecialistAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

netjgrnautCommented:
First off, I recommend the Quest AD PowerShell cmdlets (if you don't have them already)...

http://www.quest.com/powershell/activeroles-server.aspx

Once you have that up and running, you can use the following to a) enumerate all domain local groups in Domain-A, and b) enumerate any members not from Domain-A.

$dlgrp = Get-QADGroup -SizeLimit 0 | where { $_.GroupScope -eq "DomainLocal" }
foreach($dlg in $dlgrp) { 
	$grp = $dlg.SamAccountName
	$grpfsp = Get-QADGroupMember -SizeLimit 0 $grp | 
                                   where { $_.NTAccountName -notmatch "Domain-A\\" }
	if($grpfsp -ne $null) { 
		Write-Host "Foreign Members of $grp"
		$grpfsp | select NTAccountName
		Write-Host "" 
	} 
}

Open in new window


If you want to only look for a particular user in Domain-B, then replace...
where { $_.NTAccountName -notmatch "Domain-A\\" }

Open in new window

...with...
where { $_.NTAccountName -match "NameOfUserFromDomain-B" }

Open in new window


I'm sure you'll see other possiblities here...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
waltforbesSenior IT SpecialistAuthor Commented:
Netjgrnaut, this seems like a wonderful possibility...
Question: Should I use the distinguished names for "Domain-A\\" and "NameOfUserFromDomain-B"? If not, what format should I use?
netjgrnautCommented:
That's meant to be written to a file (listFSP.ps1, in my test) and run (without arguments - though adding some command-line options to specify domain would be a nice enhancement) from the Quest AD shell that you'll have after you install the tools.

If you're new to PowerShell, you'll need to do a little bit of first time setup in your environment, such as setting your script execution policy to allow your scripts to run.  Plenty of info out there about PowerShell basics... or just as questions here!

In the example provided, "Domain-A\\" is the NetBIOS name of the domain (not the FQDN or the LDAP-style DN).  "NameOfUserFromDomain-B" should be the SamAccountName (logon name, short form) of the Domin-B user you're looking for.  

This is because the script is -matching on NTAccountName, which is constructed by the Quest AD cmdlets in the Domain\UserName format.  

You can easilly re-write the script to use DNs or whatever.  You would need to change the $_.NTAccountName to $_.DN or whatever attribute you want to -match on, and change the -match target to "DC=Domain-B,DC=local" or whatever is appropriate for your environment.

This was an off-the-cuff method to do this.  If you were going to use this tool a lot, you'd want to build in arguments for a) domain or user-level query and b) domain or user to query for.

Assuming you have more than one Domain-B user in your collection of Domain-A Domain Local Groups, I'd recommend running the above script with the NetBIOS name of Domain-A as shown.  The output will be to screen, but you can easilly pipe it to file using either standard redirects (> outfile.txt) or the PowerShell Start-Transcript / Stop-Transcript cmdlets.

Hope that helps!
waltforbesSenior IT SpecialistAuthor Commented:
Wow! It does the job well, Netjgrnaut! Many thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.