Solved

How to query all AD groups for one account?

Posted on 2012-03-22
4
528 Views
Last Modified: 2012-06-27
Points of My Scenario:
1. There are 2 domains in separate forests - Domain-A & Domain-B
2. I am admin of Domain-A only (Windows Server 2003)
3. Domain-A trusts Domain-B (one-way only)
4. 'User-b' from Domain-B is in a number of domain-local groups in Domain-A
QUESTION: How can I query the AD of my Domain-A to find all the domain-local groups for which 'User-b' is a member?
0
Comment
Question by:waltforbes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 37754109
First off, I recommend the Quest AD PowerShell cmdlets (if you don't have them already)...

http://www.quest.com/powershell/activeroles-server.aspx

Once you have that up and running, you can use the following to a) enumerate all domain local groups in Domain-A, and b) enumerate any members not from Domain-A.

$dlgrp = Get-QADGroup -SizeLimit 0 | where { $_.GroupScope -eq "DomainLocal" }
foreach($dlg in $dlgrp) { 
	$grp = $dlg.SamAccountName
	$grpfsp = Get-QADGroupMember -SizeLimit 0 $grp | 
                                   where { $_.NTAccountName -notmatch "Domain-A\\" }
	if($grpfsp -ne $null) { 
		Write-Host "Foreign Members of $grp"
		$grpfsp | select NTAccountName
		Write-Host "" 
	} 
}

Open in new window


If you want to only look for a particular user in Domain-B, then replace...
where { $_.NTAccountName -notmatch "Domain-A\\" }

Open in new window

...with...
where { $_.NTAccountName -match "NameOfUserFromDomain-B" }

Open in new window


I'm sure you'll see other possiblities here...
0
 

Author Comment

by:waltforbes
ID: 37754536
Netjgrnaut, this seems like a wonderful possibility...
Question: Should I use the distinguished names for "Domain-A\\" and "NameOfUserFromDomain-B"? If not, what format should I use?
0
 
LVL 6

Assisted Solution

by:netjgrnaut
netjgrnaut earned 500 total points
ID: 37754608
That's meant to be written to a file (listFSP.ps1, in my test) and run (without arguments - though adding some command-line options to specify domain would be a nice enhancement) from the Quest AD shell that you'll have after you install the tools.

If you're new to PowerShell, you'll need to do a little bit of first time setup in your environment, such as setting your script execution policy to allow your scripts to run.  Plenty of info out there about PowerShell basics... or just as questions here!

In the example provided, "Domain-A\\" is the NetBIOS name of the domain (not the FQDN or the LDAP-style DN).  "NameOfUserFromDomain-B" should be the SamAccountName (logon name, short form) of the Domin-B user you're looking for.  

This is because the script is -matching on NTAccountName, which is constructed by the Quest AD cmdlets in the Domain\UserName format.  

You can easilly re-write the script to use DNs or whatever.  You would need to change the $_.NTAccountName to $_.DN or whatever attribute you want to -match on, and change the -match target to "DC=Domain-B,DC=local" or whatever is appropriate for your environment.

This was an off-the-cuff method to do this.  If you were going to use this tool a lot, you'd want to build in arguments for a) domain or user-level query and b) domain or user to query for.

Assuming you have more than one Domain-B user in your collection of Domain-A Domain Local Groups, I'd recommend running the above script with the NetBIOS name of Domain-A as shown.  The output will be to screen, but you can easilly pipe it to file using either standard redirects (> outfile.txt) or the PowerShell Start-Transcript / Stop-Transcript cmdlets.

Hope that helps!
0
 

Author Closing Comment

by:waltforbes
ID: 37754929
Wow! It does the job well, Netjgrnaut! Many thanks!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question