The world's most trusted forum on Active Directory Security
We have recently been asked to find and analyze nested group memberships in Active Directory, particularly those that can end up having a large number of nested members in them?
I was hoping this could be easily scripted but based on some preliminary research it turns out that its not that easy to script to preclisely enumerate the complete expanded list, due to various technical factors.
Could someone please list these technical factors, so I could better understand the intriciacies involved in enumerating nested groups in our Active Directory?
Any insight and help would be much appreciated. Thanks,Danny
You are correct that it is not that easy to enumerate nested group memberships, even though it seems straight-forward, and this is especially true when you're trying to script this.
One of the most overlooked challenges is that it is quite possible that groups could be nested within each other. Should this be the case, it will basically throw most scripts into an infinte loop. It is not easy to add the logic to script to identify and eliminate circular memberships.
Then there is the issue with well-known groups. Specifically, if you're dealing with groups like Domain Users or the like, you're out of luck with a script, as the membership of such groups is dynamically determined.
Lastly, group memberships for universal groups can span multiple domains, and group memberships for builtin groups can differ based on the DC you query them in cases where they might contain universal group members.
So it is not that easy to obtain the complete list of a nested security group in Active Directory. My advice would be to use some sort of an automated reporting/audit tool.
Thankfully, Google can find you just about anything these days. Just google the words "nested group membership reports" and you should have numerous options to choose from.
Shalom. There is another possibility I thought is worth mentioning that makes expanding nested groups rather difficult and one that most scripts won't know how to deal with.
That possibility is the case where a well-known group, whose membership is dynamic, is nested within a group; for example, Domain Users, or Domain Computers, etc.
For instance if in a security group belonging to a child domain, someone had accidentally made Domain Users from the parent domain or another domain a member of this group, then you would have to dynamically determine the membership of that group, because if you simply query the Active Directory to return the value of the members attribute on Domain Users, Active Directory will only return those members that are explicitly made members of the group.
It so happens that typically the static membership of Domain Users is empty, and thus a simple query for the members attribute against Active Directory will return an empty set.
If you are using scripts, you will have to ensure that your scripts can handle such cases, because they are possible, and if they are possible, then your scripts must be able to take them into account, otherwise you will not obtain accurate results.
I just wanted to mention this in case you were planning on using scripts to enumerate domain groups memberships in your Active Directory environment.
There isn't a system that cannot be broken into.
Thanks for your view points - this is quite helpful. I see now why expanding nested group memberships in Active Directory is not as easy as it seems. We will definitely keep these points in mind as we attempt to solve this problem.
Also, if you don't mind me asking, how do you enumerate complete nested group memberships in your Active Directory environments today?
Thanks in advance again.
We use an automated solution called Gold Finger for Active Directory to enumerate nested group memberships in our Active Directory.
It is a multi-purpose Active Directory Security Analysis tool and one of its capabilities, Group Membership Reports, offer the following reports -
1. View the direct membership of an Active Directory security group
2. View the complete nested membership of an Active Directory security group
3. View the complete list of all Active Directory security groups to which a user belongs