ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Why is it so hard to enumerate nested group memberships in Active Directory?


Newbie

Posts: 1
Date: Dec 3, 2010
Why is it so hard to enumerate nested group memberships in Active Directory?
 
 


Hi,

We have recently been asked to find and analyze nested group memberships in Active Directory, particularly those that can end up having a large number of nested members in them?

I was hoping this could be easily scripted but based on some preliminary research it turns out that its not that easy to script to preclisely enumerate the complete expanded list, due to various technical factors.

Could someone please list these technical factors, so I could better understand the intriciacies involved in enumerating nested groups in our Active Directory?

Any insight and help would be much appreciated.

Thanks,
Danny



__________________
Blessed are the Geeks, for they shall Internet the Earth ;-)


Member

Posts: 16
Date: May 19, 2011
Why is it so hard to enumerate nested group memberships in Active Directory?
 
 


You are correct that it is not that easy to enumerate nested group memberships, even though it seems straight-forward, and this is especially true when you're trying to script this.

One of the most overlooked challenges is that it is quite possible that groups could be nested within each other. Should this be the case, it will basically throw most scripts into an infinte loop. It is not easy to add the logic to script to identify and eliminate circular memberships.

Then there is the issue with well-known groups. Specifically, if you're dealing with groups like Domain Users or the like, you're out of luck with a script, as the membership of such groups is dynamically determined.

Lastly, group memberships for universal groups can span multiple domains, and group memberships for builtin groups can differ based on the DC you query them in cases where they might contain universal group members.

So it is not that easy to obtain the complete list of a nested security group in Active Directory. My advice would be to use some sort of an automated reporting/audit tool.

Thankfully, Google can find you just about anything these days. Just google the words "nested group membership reports" and you should have numerous options to choose from.

-- Aaron



__________________


Member

Posts: 21
Date: Jun 15, 2011
RE: Why is it so hard to enumerate nested group memberships in Active Directory?
 
 


Aaron,

Shalom. There is another possibility I thought is worth mentioning that makes expanding nested groups rather difficult and one that most scripts won't know how to deal with.

That possibility is the case where a well-known group, whose membership is dynamic, is nested within a group; for example, Domain Users, or Domain Computers, etc.

For instance if in a security group belonging to a child domain, someone had accidentally made Domain Users from the parent domain or another domain a member of this group, then you would have to dynamically determine the membership of that group, because if you simply query the Active Directory to return the value of the members attribute on Domain Users, Active Directory will only return those members that are explicitly made members of the group.

It so happens that typically the static membership of Domain Users is empty, and thus a simple query for the members attribute against Active Directory will return an empty set.

If you are using scripts, you will have to ensure that your scripts can handle such cases, because they are possible, and if they are possible, then your scripts must be able to take them into account, otherwise you will not obtain accurate results.

I just wanted to mention this in case you were planning on using scripts to enumerate domain groups memberships in your Active Directory environment.

Lehitra'ot

- Ishmael.



__________________

There isn't a system that cannot be broken into.



Member

Posts: 10
Date: Jul 15, 2011
RE: Why is it so hard to enumerate nested group memberships in Active Directory?
 
 


Aaron, Ishmael,

Thanks for your view points - this is quite helpful. I see now why expanding nested group memberships in Active Directory is not as easy as it seems. We will definitely keep these points in mind as we attempt to solve this problem.

Also, if you don't mind me asking, how do you enumerate complete nested group memberships in your Active Directory environments today?

Thanks in advance again.

Danny.



__________________


Member

Posts: 21
Date: Jul 24, 2012
Why is it so hard to enumerate nested group memberships in Active Directory?
 
 


Danny,

We use an automated solution called Gold Finger for Active Directory to enumerate nested group memberships in our Active Directory.

It is a multi-purpose Active Directory Security Analysis tool and one of its capabilities, Group Membership Reports, offer the following reports - 

1. View the direct membership of an Active Directory security group 

2. View the complete nested membership of an Active Directory security group 

3. View the complete list of all Active Directory security groups to which a user belongs  

What we like most about it is that you can export results to a CSV file as well have the group memberships documented in a PDF report.
 
The one other thing we like is that it can also evaluate the membership of well-known RIDs like Domain Users and well-known SIDs like Authenticated Users.
 
In case you need more info - www.paramountdefenses.com/goldfinger
 
Good luck.
Ishmael.


__________________

There isn't a system that cannot be broken into.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me