Solved

How to query all AD groups for one account?

Posted on 2012-03-22
4
519 Views
Last Modified: 2012-06-27
Points of My Scenario:
1. There are 2 domains in separate forests - Domain-A & Domain-B
2. I am admin of Domain-A only (Windows Server 2003)
3. Domain-A trusts Domain-B (one-way only)
4. 'User-b' from Domain-B is in a number of domain-local groups in Domain-A
QUESTION: How can I query the AD of my Domain-A to find all the domain-local groups for which 'User-b' is a member?
0
Comment
Question by:waltforbes
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 37754109
First off, I recommend the Quest AD PowerShell cmdlets (if you don't have them already)...

http://www.quest.com/powershell/activeroles-server.aspx

Once you have that up and running, you can use the following to a) enumerate all domain local groups in Domain-A, and b) enumerate any members not from Domain-A.

$dlgrp = Get-QADGroup -SizeLimit 0 | where { $_.GroupScope -eq "DomainLocal" }
foreach($dlg in $dlgrp) { 
	$grp = $dlg.SamAccountName
	$grpfsp = Get-QADGroupMember -SizeLimit 0 $grp | 
                                   where { $_.NTAccountName -notmatch "Domain-A\\" }
	if($grpfsp -ne $null) { 
		Write-Host "Foreign Members of $grp"
		$grpfsp | select NTAccountName
		Write-Host "" 
	} 
}

Open in new window


If you want to only look for a particular user in Domain-B, then replace...
where { $_.NTAccountName -notmatch "Domain-A\\" }

Open in new window

...with...
where { $_.NTAccountName -match "NameOfUserFromDomain-B" }

Open in new window


I'm sure you'll see other possiblities here...
0
 

Author Comment

by:waltforbes
ID: 37754536
Netjgrnaut, this seems like a wonderful possibility...
Question: Should I use the distinguished names for "Domain-A\\" and "NameOfUserFromDomain-B"? If not, what format should I use?
0
 
LVL 6

Assisted Solution

by:netjgrnaut
netjgrnaut earned 500 total points
ID: 37754608
That's meant to be written to a file (listFSP.ps1, in my test) and run (without arguments - though adding some command-line options to specify domain would be a nice enhancement) from the Quest AD shell that you'll have after you install the tools.

If you're new to PowerShell, you'll need to do a little bit of first time setup in your environment, such as setting your script execution policy to allow your scripts to run.  Plenty of info out there about PowerShell basics... or just as questions here!

In the example provided, "Domain-A\\" is the NetBIOS name of the domain (not the FQDN or the LDAP-style DN).  "NameOfUserFromDomain-B" should be the SamAccountName (logon name, short form) of the Domin-B user you're looking for.  

This is because the script is -matching on NTAccountName, which is constructed by the Quest AD cmdlets in the Domain\UserName format.  

You can easilly re-write the script to use DNs or whatever.  You would need to change the $_.NTAccountName to $_.DN or whatever attribute you want to -match on, and change the -match target to "DC=Domain-B,DC=local" or whatever is appropriate for your environment.

This was an off-the-cuff method to do this.  If you were going to use this tool a lot, you'd want to build in arguments for a) domain or user-level query and b) domain or user to query for.

Assuming you have more than one Domain-B user in your collection of Domain-A Domain Local Groups, I'd recommend running the above script with the NetBIOS name of Domain-A as shown.  The output will be to screen, but you can easilly pipe it to file using either standard redirects (> outfile.txt) or the PowerShell Start-Transcript / Stop-Transcript cmdlets.

Hope that helps!
0
 

Author Closing Comment

by:waltforbes
ID: 37754929
Wow! It does the job well, Netjgrnaut! Many thanks!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now