?
Solved

How to query all AD groups for one account?

Posted on 2012-03-22
4
Medium Priority
?
537 Views
Last Modified: 2012-06-27
Points of My Scenario:
1. There are 2 domains in separate forests - Domain-A & Domain-B
2. I am admin of Domain-A only (Windows Server 2003)
3. Domain-A trusts Domain-B (one-way only)
4. 'User-b' from Domain-B is in a number of domain-local groups in Domain-A
QUESTION: How can I query the AD of my Domain-A to find all the domain-local groups for which 'User-b' is a member?
0
Comment
Question by:waltforbes
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 2000 total points
ID: 37754109
First off, I recommend the Quest AD PowerShell cmdlets (if you don't have them already)...

http://www.quest.com/powershell/activeroles-server.aspx

Once you have that up and running, you can use the following to a) enumerate all domain local groups in Domain-A, and b) enumerate any members not from Domain-A.

$dlgrp = Get-QADGroup -SizeLimit 0 | where { $_.GroupScope -eq "DomainLocal" }
foreach($dlg in $dlgrp) { 
	$grp = $dlg.SamAccountName
	$grpfsp = Get-QADGroupMember -SizeLimit 0 $grp | 
                                   where { $_.NTAccountName -notmatch "Domain-A\\" }
	if($grpfsp -ne $null) { 
		Write-Host "Foreign Members of $grp"
		$grpfsp | select NTAccountName
		Write-Host "" 
	} 
}

Open in new window


If you want to only look for a particular user in Domain-B, then replace...
where { $_.NTAccountName -notmatch "Domain-A\\" }

Open in new window

...with...
where { $_.NTAccountName -match "NameOfUserFromDomain-B" }

Open in new window


I'm sure you'll see other possiblities here...
0
 

Author Comment

by:waltforbes
ID: 37754536
Netjgrnaut, this seems like a wonderful possibility...
Question: Should I use the distinguished names for "Domain-A\\" and "NameOfUserFromDomain-B"? If not, what format should I use?
0
 
LVL 6

Assisted Solution

by:netjgrnaut
netjgrnaut earned 2000 total points
ID: 37754608
That's meant to be written to a file (listFSP.ps1, in my test) and run (without arguments - though adding some command-line options to specify domain would be a nice enhancement) from the Quest AD shell that you'll have after you install the tools.

If you're new to PowerShell, you'll need to do a little bit of first time setup in your environment, such as setting your script execution policy to allow your scripts to run.  Plenty of info out there about PowerShell basics... or just as questions here!

In the example provided, "Domain-A\\" is the NetBIOS name of the domain (not the FQDN or the LDAP-style DN).  "NameOfUserFromDomain-B" should be the SamAccountName (logon name, short form) of the Domin-B user you're looking for.  

This is because the script is -matching on NTAccountName, which is constructed by the Quest AD cmdlets in the Domain\UserName format.  

You can easilly re-write the script to use DNs or whatever.  You would need to change the $_.NTAccountName to $_.DN or whatever attribute you want to -match on, and change the -match target to "DC=Domain-B,DC=local" or whatever is appropriate for your environment.

This was an off-the-cuff method to do this.  If you were going to use this tool a lot, you'd want to build in arguments for a) domain or user-level query and b) domain or user to query for.

Assuming you have more than one Domain-B user in your collection of Domain-A Domain Local Groups, I'd recommend running the above script with the NetBIOS name of Domain-A as shown.  The output will be to screen, but you can easilly pipe it to file using either standard redirects (> outfile.txt) or the PowerShell Start-Transcript / Stop-Transcript cmdlets.

Hope that helps!
0
 

Author Closing Comment

by:waltforbes
ID: 37754929
Wow! It does the job well, Netjgrnaut! Many thanks!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question