Thomas Vuylsteke
Posts:207
 | | 09/06/2010 8:41 PM |
| Well I might be explaining it the wrong way, and plz correct me if I do, but besides the explanation given below there's an additional fact:
Each user which is member of a DL in the other domain, is also represented as a Foreign Security Principal in that other forest. This FSP has the same SID as the user in its own forest. I think this is a possible start for some coding magic.
I think the following methods might provide an answer:
* http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.userprincipal.getauthorizationgroups.aspx
* http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.userprincipal.getgroups.aspx
This info comes from http://msdn.microsoft.com/en-us/magazine/cc135979.aspx definitely worthy of a read.
Quote from the technet magazine article:
Yet another tricky operation made simple with AccountManagement is the task of expanding group membership across trusted domains or with foreign security principals. The GetGroups(PrincipalContext) method on the Principal class does the heavy lifting for you
Regards,
Thomas
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: maandag 6 september 2010 17:46
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Sensitivity: Confidential
(HOPEFULLY THIS INFORMATION HELPS YOU!) - I meant Yes to this part 
After reading and understanding more , I think there is no way. Correct me if I m wrong..
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Damian.Crosby@morganstanley.com
Sent: Monday, September 06, 2010 8:29 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Hi,
So how would you enumerate this programmatically to query a DLG from remote members across a trust?
Thanks.
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: 06 September 2010 09:45
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Yes it does, and thank you very much.
Regards
Biju Babu
IT Technical Analyst, Identity and Service Management
Phone : +91-124-4090264
Rnet : 791-345
Email : biju_babu@cargill.com<mailto:biju_babu@cargill.com>
My working hours are from 11:00 to 19:30 IST (00:30 to 09:00 CST)
P Please consider our environmental responsibility before printing this e-mail
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of jorgedealmeidapinto@live.com
Sent: Monday, September 06, 2010 1:01 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
If you as a user in domain A are a member of a domain local group in domain B, you will:
* See, when using ADUC against domain B that a user in domain A is a member of the domain local group in domain B (when looking at the properties of the group)
* See, when using ADUC against domain A that a user in domain A appears not to be a member of the domain local group in domain B (when looking at the properties of the user)
Why?
Well....although the domain local group of domain B replicates to a GC in domain A, the membership (forward link) of domain local groups do not replicate to GCs in other AD domains. Because of that the backlink is not created on the user account. Hence the "memberOf" attribute on the user being empty.
Forward links and backlinks are only maintained within the same NTDS.DIT instance and not between instances
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile<https://mvp.support.microsoft.com/profile/jorge1> (Blog<http://blogs.dirteam.com/blogs/jorge/default.aspx>
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: Monday, September 06, 2010 08:32
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Any suggestions or comments ? appreciate it.
Biju
P Please consider our environmental responsibility before printing this e-mail
From: Babu, Biju - Biju_Babu@cargill.com
Sent: Friday, September 03, 2010 4:34 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local group membership in trusted domains ?
I m not looking for any nested group membership , just the primary membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and Universal group from the same domain and Universal groups from the trusted domains. (I never tried ADFIND so not sure if that will help, if anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights.
P Please consider our environmental responsibility before printing this e-mail
________________________________
NOTICE: If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.
| | | |
|