Hello world !!
Working on migration project, the customer came to me and ask me if it was possible to quickly get information about nested groups and group membership. The problem was that they were using nested groups in their infrastructure. If you looked the group membership of the domain admins, you would see direct membership (users) but also groups.
Because of the migration, the customer wanted to list and possible remove/reduce the number of users having domain admin rights within the domain . So, the problem was the following : the domain admins group contains other groups as member and we need to find out which users are member of these groups.
You can use different approach, AD query, Vbscript, powershell or simply use built-in tools from Microsoft. Because that was quite an urgent request, i have simply used the built-in tools from Microsoft. To list all members (users or groups) of the domain admins group in my domain, i will type the following command :
dsget group “CN=Domain Admins,CN=Users,DC=MyDomain,DC=Lab” -members
To go recursively through all nested groups you might encounter, you can then type the following command :
dsget group “CN=Domain Admins,CN=Users,DC=MyDomain,DC=Lab” -members -expand
This command will display the info that is displayed in Active Directory when you right-click the group and look at the members tab + members of the nested group.
If you want to display only the users that are member of the group and you do not care about the groups, you can extend the previous command and type the following
dsget group “CN=Domain Admins,CN=Users,DC=MyDomain,DC=Lab” -members -expand |dsget user -samid -c
This will result in a list of users. the -c is used to get the command running through even if an error occur.
To use the reversed path (i.e finding group membership of a specific user account), you can type the following command:
dsquery user -samid <UserName> | dsget user -memberof -expand | dsget group -samid
This command might give you additional information about nested groups