| Author | Messages | |
bijubabuk
Posts:109
 | | 09/03/2010 12:05 PM |
| Good day,
Wondering if somebody can tell me how to list a user's domain local
group membership in trusted domains ?
I m not looking for any nested group membership , just the primary
membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and
Universal group from the same domain and Universal groups from the
trusted domains. (I never tried ADFIND so not sure if that will help, if
anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and
confer no rights.
P Please consider our environmental responsibility before printing this
e-mail
| | | |
| bijubabuk
Posts:109
| | 09/06/2010 7:34 AM |
| Any suggestions or comments ? appreciate it.
Biju
P Please consider our environmental responsibility before printing this
e-mail
From: Babu, Biju - Biju_Babu@cargill.com
Sent: Friday, September 03, 2010 4:34 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local
group membership in trusted domains ?
I m not looking for any nested group membership , just the primary
membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and
Universal group from the same domain and Universal groups from the
trusted domains. (I never tried ADFIND so not sure if that will help, if
anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and
confer no rights.
P Please consider our environmental responsibility before printing this
e-mail
| | | |
| ZJORZ
Posts:363
| | 09/06/2010 8:31 AM |
| If you as a user in domain A are a member of a domain local group in domain
B, you will:
. See, when using ADUC against domain B that a user in domain A is a
member of the domain local group in domain B (when looking at the properties
of the group)
. See, when using ADUC against domain A that a user in domain A
appears not to be a member of the domain local group in domain B (when
looking at the properties of the user)
Why?
Well..although the domain local group of domain B replicates to a GC in
domain A, the membership (forward link) of domain local groups do not
replicate to GCs in other AD domains. Because of that the backlink is not
created on the user account. Hence the "memberOf" attribute on the user
being empty.
Forward links and backlinks are only maintained within the same NTDS.DIT
instance and not between instances
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile <https://mvp.support.microsoft.com/profile/jorge1> ) (Blog
<http://blogs.dirteam.com/blogs/jorge/default.aspx> )
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: Monday, September 06, 2010 08:32
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Any suggestions or comments ? appreciate it.
Biju
P Please consider our environmental responsibility before printing this
e-mail
From: Babu, Biju - Biju_Babu@cargill.com
Sent: Friday, September 03, 2010 4:34 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not showing
up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local group
membership in trusted domains ?
I m not looking for any nested group membership , just the primary
membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and Universal
group from the same domain and Universal groups from the trusted domains. (I
never tried ADFIND so not sure if that will help, if anyone can share the
syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and confer
no rights.
P Please consider our environmental responsibility before printing this
e-mail
| | | |
| bijubabuk
Posts:109
| | 09/06/2010 9:47 AM |
| Yes it does, and thank you very much.
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com <mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
jorgedealmeidapinto@live.com
Sent: Monday, September 06, 2010 1:01 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
If you as a user in domain A are a member of a domain local group in
domain B, you will:
* See, when using ADUC against domain B that a user in domain A
is a member of the domain local group in domain B (when looking at the
properties of the group)
* See, when using ADUC against domain A that a user in domain A
appears not to be a member of the domain local group in domain B (when
looking at the properties of the user)
Why?
Well....although the domain local group of domain B replicates to a GC
in domain A, the membership (forward link) of domain local groups do not
replicate to GCs in other AD domains. Because of that the backlink is
not created on the user account. Hence the "memberOf" attribute on the
user being empty.
Forward links and backlinks are only maintained within the same NTDS.DIT
instance and not between instances
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile <https://mvp.support.microsoft.com/profile/jorge1> ) (Blog
<http://blogs.dirteam.com/blogs/jorge/default.aspx> )
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: Monday, September 06, 2010 08:32
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Any suggestions or comments ? appreciate it.
Biju
P Please consider our environmental responsibility before printing this
e-mail
From: Babu, Biju - Biju_Babu@cargill.com
Sent: Friday, September 03, 2010 4:34 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local
group membership in trusted domains ?
I m not looking for any nested group membership , just the primary
membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and
Universal group from the same domain and Universal groups from the
trusted domains. (I never tried ADFIND so not sure if that will help, if
anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and
confer no rights.
P Please consider our environmental responsibility before printing this
e-mail
| | | |
| decrosby
Posts:101
| | 09/06/2010 4:00 PM |
| Hi,
So how would you enumerate this programmatically to query a DLG from remote members across a trust?
Thanks.
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: 06 September 2010 09:45
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Yes it does, and thank you very much.
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of jorgedealmeidapinto@live.com
Sent: Monday, September 06, 2010 1:01 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
If you as a user in domain A are a member of a domain local group in domain B, you will:
* See, when using ADUC against domain B that a user in domain A is a member of the domain local group in domain B (when looking at the properties of the group)
* See, when using ADUC against domain A that a user in domain A appears not to be a member of the domain local group in domain B (when looking at the properties of the user)
Why?
Well....although the domain local group of domain B replicates to a GC in domain A, the membership (forward link) of domain local groups do not replicate to GCs in other AD domains. Because of that the backlink is not created on the user account. Hence the "memberOf" attribute on the user being empty.
Forward links and backlinks are only maintained within the same NTDS.DIT instance and not between instances
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile<https://mvp.support.microsoft.com/profile/jorge1> (Blog<http://blogs.dirteam.com/blogs/jorge/default.aspx>
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: Monday, September 06, 2010 08:32
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Any suggestions or comments ? appreciate it.
Biju
P Please consider our environmental responsibility before printing this e-mail
From: Babu, Biju - Biju_Babu@cargill.com
Sent: Friday, September 03, 2010 4:34 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local group membership in trusted domains ?
I m not looking for any nested group membership , just the primary membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and Universal group from the same domain and Universal groups from the trusted domains. (I never tried ADFIND so not sure if that will help, if anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights.
P Please consider our environmental responsibility before printing this e-mail
--------------------------------------------------------------------------
NOTICE: If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.
| | | |
| bijubabuk
Posts:109
| | 09/06/2010 4:47 PM |
| (HOPEFULLY THIS INFORMATION HELPS YOU!) - I meant Yes to this part J
After reading and understanding more , I think there is no way. Correct
me if I m wrong..
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com <mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Damian.Crosby@morganstanley.com
Sent: Monday, September 06, 2010 8:29 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Hi,
So how would you enumerate this programmatically to query a DLG from
remote members across a trust?
Thanks.
________________________________
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: 06 September 2010 09:45
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Yes it does, and thank you very much.
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com <mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
jorgedealmeidapinto@live.com
Sent: Monday, September 06, 2010 1:01 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
If you as a user in domain A are a member of a domain local group in
domain B, you will:
* See, when using ADUC against domain B that a user in domain A
is a member of the domain local group in domain B (when looking at the
properties of the group)
* See, when using ADUC against domain A that a user in domain A
appears not to be a member of the domain local group in domain B (when
looking at the properties of the user)
Why?
Well....although the domain local group of domain B replicates to a GC
in domain A, the membership (forward link) of domain local groups do not
replicate to GCs in other AD domains. Because of that the backlink is
not created on the user account. Hence the "memberOf" attribute on the
user being empty.
Forward links and backlinks are only maintained within the same NTDS.DIT
instance and not between instances
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile <https://mvp.support.microsoft.com/profile/jorge1> ) (Blog
<http://blogs.dirteam.com/blogs/jorge/default.aspx> )
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: Monday, September 06, 2010 08:32
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Any suggestions or comments ? appreciate it.
Biju
P Please consider our environmental responsibility before printing this
e-mail
From: Babu, Biju - Biju_Babu@cargill.com
Sent: Friday, September 03, 2010 4:34 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local
group membership in trusted domains ?
I m not looking for any nested group membership , just the primary
membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and
Universal group from the same domain and Universal groups from the
trusted domains. (I never tried ADFIND so not sure if that will help, if
anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and
confer no rights.
P Please consider our environmental responsibility before printing this
e-mail
________________________________
NOTICE: If you have received this communication in error, please destroy
all electronic and paper copies and notify the sender immediately.
Mistransmission is not intended to waive confidentiality or privilege.
Morgan Stanley reserves the right, to the extent permitted under
applicable law, to monitor electronic communications. This message is
subject to terms available at the following link:
http://www.morganstanley.com/disclaimers
<http://www.morganstanley.com/disclaimers> . If you cannot access these
links, please notify us by reply message and we will send the contents
to you. By messaging with Morgan Stanley you consent to the foregoing.
| | | |
| decrosby
Posts:101
| | 09/07/2010 10:22 AM |
| Actually what we need to know is what groups in forest a the user from forest b is a member of so we wanted to query memberof. In this case we could enumerate the FSP memberof attribute in forest a and get this information, it seems to work...
Thanks.
Damian.
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Thomas Vuylsteke
Sent: 06 September 2010 20:39
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Sensitivity: Confidential
Well I might be explaining it the wrong way, and plz correct me if I do, but besides the explanation given below there's an additional fact:
Each user which is member of a DL in the other domain, is also represented as a Foreign Security Principal in that other forest. This FSP has the same SID as the user in its own forest. I think this is a possible start for some coding magic.
I think the following methods might provide an answer:
* http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.userprincipal.getauthorizationgroups.aspx
* http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.userprincipal.getgroups.aspx
This info comes from http://msdn.microsoft.com/en-us/magazine/cc135979.aspx definitely worthy of a read.
Quote from the technet magazine article:
Yet another tricky operation made simple with AccountManagement is the task of expanding group membership across trusted domains or with foreign security principals. The GetGroups(PrincipalContext) method on the Principal class does the heavy lifting for you
Regards,
Thomas
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: maandag 6 september 2010 17:46
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Sensitivity: Confidential
(HOPEFULLY THIS INFORMATION HELPS YOU!) - I meant Yes to this part 
After reading and understanding more , I think there is no way. Correct me if I m wrong..
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Damian.Crosby@morganstanley.com
Sent: Monday, September 06, 2010 8:29 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Hi,
So how would you enumerate this programmatically to query a DLG from remote members across a trust?
Thanks.
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: 06 September 2010 09:45
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Yes it does, and thank you very much.
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of jorgedealmeidapinto@live.com
Sent: Monday, September 06, 2010 1:01 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
If you as a user in domain A are a member of a domain local group in domain B, you will:
* See, when using ADUC against domain B that a user in domain A is a member of the domain local group in domain B (when looking at the properties of the group)
* See, when using ADUC against domain A that a user in domain A appears not to be a member of the domain local group in domain B (when looking at the properties of the user)
Why?
Well....although the domain local group of domain B replicates to a GC in domain A, the membership (forward link) of domain local groups do not replicate to GCs in other AD domains. Because of that the backlink is not created on the user account. Hence the "memberOf" attribute on the user being empty.
Forward links and backlinks are only maintained within the same NTDS.DIT instance and not between instances
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile<https://mvp.support.microsoft.com/profile/jorge1> (Blog<http://blogs.dirteam.com/blogs/jorge/default.aspx>
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: Monday, September 06, 2010 08:32
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Any suggestions or comments ? appreciate it.
Biju
P Please consider our environmental responsibility before printing this e-mail
From: Babu, Biju - Biju_Babu@cargill.com
Sent: Friday, September 03, 2010 4:34 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local group membership in trusted domains ?
I m not looking for any nested group membership , just the primary membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and Universal group from the same domain and Universal groups from the trusted domains. (I never tried ADFIND so not sure if that will help, if anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights.
P Please consider our environmental responsibility before printing this e-mail
________________________________
NOTICE: If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.
--------------------------------------------------------------------------
NOTICE: If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.
| | | |
| bijubabuk
Posts:109
| | 09/14/2010 11:10 PM |
| Correct me if I m wrong, but FSP only exists when trusts setup outside
of current forests. I don't think there is any FSPs in multi domain
single Forest environment.
Anyway I tried a simple script using getgroups method mentioned below by
Thomas, but no luck. It only returns universal groups from other domains
along with DL and Global groups from same domain, just like any other
tool. I understand what Joe said about the forward/back links and GC
replication, but gave it a try hoping something magical would happen J
Thanks everyone for your help.
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com <mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Damian.Crosby@morganstanley.com
Sent: Tuesday, September 07, 2010 2:51 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Sensitivity: Confidential
Actually what we need to know is what groups in forest a the user from
forest b is a member of so we wanted to query memberof. In this case we
could enumerate the FSP memberof attribute in forest a and get this
information, it seems to work...
Thanks.
Damian.
________________________________
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Thomas
Vuylsteke
Sent: 06 September 2010 20:39
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Sensitivity: Confidential
Well I might be explaining it the wrong way, and plz correct me if I do,
but besides the explanation given below there's an additional fact:
Each user which is member of a DL in the other domain, is also
represented as a Foreign Security Principal in that other forest. This
FSP has the same SID as the user in its own forest. I think this is a
possible start for some coding magic.
I think the following methods might provide an answer:
*
http://msdn.microsoft.com/en-us/library/system.directoryservices.account
management.userprincipal.getauthorizationgroups.aspx
*
http://msdn.microsoft.com/en-us/library/system.directoryservices.account
management.userprincipal.getgroups.aspx
This info comes from
http://msdn.microsoft.com/en-us/magazine/cc135979.aspx definitely worthy
of a read.
Quote from the technet magazine article:
Yet another tricky operation made simple with AccountManagement is the
task of expanding group membership across trusted domains or with
foreign security principals. The GetGroups(PrincipalContext) method on
the Principal class does the heavy lifting for you
Regards,
Thomas
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: maandag 6 september 2010 17:46
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Sensitivity: Confidential
(HOPEFULLY THIS INFORMATION HELPS YOU!) - I meant Yes to this part J
After reading and understanding more , I think there is no way. Correct
me if I m wrong..
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com <mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Damian.Crosby@morganstanley.com
Sent: Monday, September 06, 2010 8:29 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Hi,
So how would you enumerate this programmatically to query a DLG from
remote members across a trust?
Thanks.
________________________________
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: 06 September 2010 09:45
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Yes it does, and thank you very much.
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com <mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
jorgedealmeidapinto@live.com
Sent: Monday, September 06, 2010 1:01 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
If you as a user in domain A are a member of a domain local group in
domain B, you will:
* See, when using ADUC against domain B that a user in domain A
is a member of the domain local group in domain B (when looking at the
properties of the group)
* See, when using ADUC against domain A that a user in domain A
appears not to be a member of the domain local group in domain B (when
looking at the properties of the user)
Why?
Well....although the domain local group of domain B replicates to a GC
in domain A, the membership (forward link) of domain local groups do not
replicate to GCs in other AD domains. Because of that the backlink is
not created on the user account. Hence the "memberOf" attribute on the
user being empty.
Forward links and backlinks are only maintained within the same NTDS.DIT
instance and not between instances
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile <https://mvp.support.microsoft.com/profile/jorge1> ) (Blog
<http://blogs.dirteam.com/blogs/jorge/default.aspx> )
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: Monday, September 06, 2010 08:32
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Any suggestions or comments ? appreciate it.
Biju
P Please consider our environmental responsibility before printing this
e-mail
From: Babu, Biju - Biju_Babu@cargill.com
Sent: Friday, September 03, 2010 4:34 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local
group membership in trusted domains ?
I m not looking for any nested group membership , just the primary
membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and
Universal group from the same domain and Universal groups from the
trusted domains. (I never tried ADFIND so not sure if that will help, if
anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and
confer no rights.
P Please consider our environmental responsibility before printing this
e-mail
________________________________
NOTICE: If you have received this communication in error, please destroy
all electronic and paper copies and notify the sender immediately.
Mistransmission is not intended to waive confidentiality or privilege.
Morgan Stanley reserves the right, to the extent permitted under
applicable law, to monitor electronic communications. This message is
subject to terms available at the following link:
http://www.morganstanley.com/disclaimers
<http://www.morganstanley.com/disclaimers> . If you cannot access these
links, please notify us by reply message and we will send the contents
to you. By messaging with Morgan Stanley you consent to the foregoing.
________________________________
NOTICE: If you have received this communication in error, please destroy
all electronic and paper copies and notify the sender immediately.
Mistransmission is not intended to waive confidentiality or privilege.
Morgan Stanley reserves the right, to the extent permitted under
applicable law, to monitor electronic communications. This message is
subject to terms available at the following link:
http://www.morganstanley.com/disclaimers
<http://www.morganstanley.com/disclaimers> . If you cannot access these
links, please notify us by reply message and we will send the contents
to you. By messaging with Morgan Stanley you consent to the foregoing.
| | | |
| decrosby
Posts:101
| | 09/15/2010 9:34 AM |
| Hi,
We were evaluating member / memberof over an external trust on this occasion.
Thanks.
Damian.
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: 14 September 2010 23:09
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Sensitivity: Confidential
Correct me if I m wrong, but FSP only exists when trusts setup outside of current forests. I don't think there is any FSPs in multi domain single Forest environment.
Anyway I tried a simple script using getgroups method mentioned below by Thomas, but no luck. It only returns universal groups from other domains along with DL and Global groups from same domain, just like any other tool. I understand what Joe said about the forward/back links and GC replication, but gave it a try hoping something magical would happen
Thanks everyone for your help.
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Damian.Crosby@morganstanley.com
Sent: Tuesday, September 07, 2010 2:51 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Sensitivity: Confidential
Actually what we need to know is what groups in forest a the user from forest b is a member of so we wanted to query memberof. In this case we could enumerate the FSP memberof attribute in forest a and get this information, it seems to work...
Thanks.
Damian.
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Thomas Vuylsteke
Sent: 06 September 2010 20:39
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Sensitivity: Confidential
Well I might be explaining it the wrong way, and plz correct me if I do, but besides the explanation given below there's an additional fact:
Each user which is member of a DL in the other domain, is also represented as a Foreign Security Principal in that other forest. This FSP has the same SID as the user in its own forest. I think this is a possible start for some coding magic.
I think the following methods might provide an answer:
* http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.userprincipal.getauthorizationgroups.aspx
* http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.userprincipal.getgroups.aspx
This info comes from http://msdn.microsoft.com/en-us/magazine/cc135979.aspx definitely worthy of a read.
Quote from the technet magazine article:
Yet another tricky operation made simple with AccountManagement is the task of expanding group membership across trusted domains or with foreign security principals. The GetGroups(PrincipalContext) method on the Principal class does the heavy lifting for you
Regards,
Thomas
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: maandag 6 september 2010 17:46
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Sensitivity: Confidential
(HOPEFULLY THIS INFORMATION HELPS YOU!) - I meant Yes to this part
After reading and understanding more , I think there is no way. Correct me if I m wrong..
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Damian.Crosby@morganstanley.com
Sent: Monday, September 06, 2010 8:29 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Hi,
So how would you enumerate this programmatically to query a DLG from remote members across a trust?
Thanks.
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: 06 September 2010 09:45
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Yes it does, and thank you very much.
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of jorgedealmeidapinto@live.com
Sent: Monday, September 06, 2010 1:01 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
If you as a user in domain A are a member of a domain local group in domain B, you will:
* See, when using ADUC against domain B that a user in domain A is a member of the domain local group in domain B (when looking at the properties of the group)
* See, when using ADUC against domain A that a user in domain A appears not to be a member of the domain local group in domain B (when looking at the properties of the user)
Why?
Well....although the domain local group of domain B replicates to a GC in domain A, the membership (forward link) of domain local groups do not replicate to GCs in other AD domains. Because of that the backlink is not created on the user account. Hence the "memberOf" attribute on the user being empty.
Forward links and backlinks are only maintained within the same NTDS.DIT instance and not between instances
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile<https://mvp.support.microsoft.com/profile/jorge1> (Blog<http://blogs.dirteam.com/blogs/jorge/default.aspx>
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: Monday, September 06, 2010 08:32
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Any suggestions or comments ? appreciate it.
Biju
P Please consider our environmental responsibility before printing this e-mail
From: Babu, Biju - Biju_Babu@cargill.com
Sent: Friday, September 03, 2010 4:34 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local group membership in trusted domains ?
I m not looking for any nested group membership , just the primary membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and Universal group from the same domain and Universal groups from the trusted domains. (I never tried ADFIND so not sure if that will help, if anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights.
P Please consider our environmental responsibility before printing this e-mail
________________________________
NOTICE: If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.
________________________________
NOTICE: If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.
--------------------------------------------------------------------------
NOTICE: If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.
| | | |
| listmail
Posts:822
| | 09/15/2010 3:56 PM |
| Two basic problems.
First problem, within a single forest.
You have two methods to handle this.
. First you can query the domain local groups in every trusted
domain for the user's DN.
. Second, you can query a GC that is a DC for every domain in the
forest and ask for the memberof attribute of the user. If the user is a
member of Domain1, when you hit a Domain1 GC, you will get group info for
all UGs in forest, GGs in Domain1, and DLGs in Domain1. When you hit a
Domain2 GC, you will get group info for all UGs in forest, no GGs, and DLGs
in Domain2, etc etc.
Second problem, foreign (to user's forest) trusted domains
You have two methods to handle this
. First you can look for the user's Foreign Security Principal in
each domain and return the memberof attribute
. Second you can query every domain local group in each domain
looking for the user's FSP object DN.
Yes AdFind can do this. Each process would be a different command, but they
are all very basic LDAP queries.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
Blog: http://blog.joeware.net
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: Friday, September 03, 2010 7:04 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not showing
up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local group
membership in trusted domains ?
I m not looking for any nested group membership , just the primary
membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and Universal
group from the same domain and Universal groups from the trusted domains. (I
never tried ADFIND so not sure if that will help, if anyone can share the
syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and confer
no rights.
P Please consider our environmental responsibility before printing this
e-mail
| | | |
| bijubabuk
Posts:109
| | 09/15/2010 5:16 PM |
| Whoami /groups is very much handy when it comes to troubleshooting a
single user scenario, but do not think its usable to report many users
group membership info.
I will give it a try for that querying GC method, that seems to be more
interesting
Thanks every one for your thoughts, much appreciate it.
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com <mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this
e-mail
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
barkills@washington.edu
Sent: Wednesday, September 15, 2010 9:21 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
There are other approaches. For example, instead of querying directories
(which is what all the methods below do), you could examine the user's
logon token. There are many ways to do that, either programmatic
inspection or a canned tool like "whoami /groups". This class of
approaches assumes you have access to the user's login token, and in
order to get the appropriate groups in the token, they'd have to login
to a computer in the appropriate forest/domain. And if there are
multiple domains that you need to gather groups from, then you'd need to
collect that info separately and merge. In other words, you have to know
about the same limitations as noted below and work around them.
Personally, I'd stick with directory queries, but there are scenarios
where the logon token approach is more appropriate, and where whoami
/groups is more convenient.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, September 15, 2010 7:56 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Two basic problems...
First problem, within a single forest...
You have two methods to handle this.
* First you can query the domain local groups in every trusted
domain for the user's DN.
* Second, you can query a GC that is a DC for every domain in
the forest and ask for the memberof attribute of the user. If the user
is a member of Domain1, when you hit a Domain1 GC, you will get group
info for all UGs in forest, GGs in Domain1, and DLGs in Domain1. When
you hit a Domain2 GC, you will get group info for all UGs in forest, no
GGs, and DLGs in Domain2, etc etc.
Second problem, foreign (to user's forest) trusted domains
You have two methods to handle this
* First you can look for the user's Foreign Security Principal
in each domain and return the memberof attribute
* Second you can query every domain local group in each domain
looking for the user's FSP object DN.
Yes AdFind can do this. Each process would be a different command, but
they are all very basic LDAP queries.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
Blog: http://blog.joeware.net
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Biju_babu@cargill.com
Sent: Friday, September 03, 2010 7:04 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not
showing up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local
group membership in trusted domains ?
I m not looking for any nested group membership , just the primary
membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and
Universal group from the same domain and Universal groups from the
trusted domains. (I never tried ADFIND so not sure if that will help, if
anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and
confer no rights.
P Please consider our environmental responsibility before printing this
e-mail
| | | |
|
|