| Author | Messages | |
GuidoG
Posts:114
 | | 09/20/2010 8:00 PM |
| It's important to understand which group memberships get added to which token at what time.
You won't find a user's local group memberships from a foreign domain (be it the same or a different forest) in the user's token from the logon to his domain, when authenticating via a client from his domain, since the local groups from foreign domains are not enumerated in this process.
However, if you are trying to access a resource from the foreign domain - either by authenticating via a client in that domain, or when you're connecting to some other server or service in that domain, you'll generate a session ticket to access that resource. For the generation of that session ticket the foreign domain's DC will enumerate the user's local group-memberships in the domain... In the end, the session ticket contains the requested group memberships.
As such, for this scenario, using the whoami /groups approach won't get you far.
Pretty much the only useful approach is querying the other domains, as joe already suggested.
/Guido
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: Wednesday, September 15, 2010 5:51 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
There are other approaches. For example, instead of querying directories (which is what all the methods below do), you could examine the user's logon token. There are many ways to do that, either programmatic inspection or a canned tool like "whoami /groups". This class of approaches assumes you have access to the user's login token, and in order to get the appropriate groups in the token, they'd have to login to a computer in the appropriate forest/domain. And if there are multiple domains that you need to gather groups from, then you'd need to collect that info separately and merge. In other words, you have to know about the same limitations as noted below and work around them.
Personally, I'd stick with directory queries, but there are scenarios where the logon token approach is more appropriate, and where whoami /groups is more convenient.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, September 15, 2010 7:56 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Two basic problems...
First problem, within a single forest...
You have two methods to handle this.
* First you can query the domain local groups in every trusted domain for the user's DN.
* Second, you can query a GC that is a DC for every domain in the forest and ask for the memberof attribute of the user. If the user is a member of Domain1, when you hit a Domain1 GC, you will get group info for all UGs in forest, GGs in Domain1, and DLGs in Domain1. When you hit a Domain2 GC, you will get group info for all UGs in forest, no GGs, and DLGs in Domain2, etc etc.
Second problem, foreign (to user's forest) trusted domains
You have two methods to handle this
* First you can look for the user's Foreign Security Principal in each domain and return the memberof attribute
* Second you can query every domain local group in each domain looking for the user's FSP object DN.
Yes AdFind can do this. Each process would be a different command, but they are all very basic LDAP queries.
joe
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
Blog: http://blog.joeware.net
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Biju_babu@cargill.com
Sent: Friday, September 03, 2010 7:04 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Local Group(s) from trusted domains not showing up in the Memberof property for users
Good day,
Wondering if somebody can tell me how to list a user's domain local group membership in trusted domains ?
I m not looking for any nested group membership , just the primary membership. In ADUC (or using ADSIEDIT) you can see the DL,GL and Universal group from the same domain and Universal groups from the trusted domains. (I never tried ADFIND so not sure if that will help, if anyone can share the syntax that would be great)
Thanks & Regards
Biju
Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights.
P Please consider our environmental responsibility before printing this e-mail
| | | |
|
|