The world's most trusted forum on Active Directory Security
I would like to know how one can enumerate the list of all Active Directory security groups that are nested within an Active Directory security group?
We have a requirement to try and minimize the level of group nesting in light of the 1024 SID limitation in a Windows access token. We use application groups and thus for some of our users this has been an issue.
We've dabbled with some basic security tools that can enumerate the direct membership of an Active Directory security group, but that is not what we're looking for.
We've also tried a few scripts to enumerate the complete nested membership of a group, but it did not yield accurate results.
Any guidance would be appreciated. Thank you in advance.
The accurate enumeration of Active Directory security groups is not as easy as it readily seems because of numerous factors involved, such as nested group memberships, circlular nestings, 1500 simple LDAP retrieval limit, so on and so forth.
If you look around, you might find some VBScripts that claim to be able to view nested memberships, but none of them are 100% accurate, and/or require additional work to be done, which is usually mentioned in the fine-print.
It is also quite time-consuming and laborious to try and understand all the details, then write your own scripts to try and accomplish this, so it is best to rely invest in a good automated solution that is designed for this very purpose, and can help you accomplish this with 100% accuracy whenever you need to be able to enumerate nested group memberships.
We were in a similar situation a few months ago, and went through the same excercise, and ultimately ended up going with an automated solution, so based on my experience, I would suggest finding and investing in a good dedicated solution to fulfill this need.
We will NEVER forget.
Since I posted my question, we've been looking around and investigating various way to do this, but haven't been able to figure much out.
I mean I come across some articles/scripts on how to enumerate nested groups, but they don't work in all situations, so that doesn't work for us. (For example, they cannot handle circular nested groups.)
You seemed to indicate that you found an automated solution to do this.
If so, would you mind letting me know which one it is, for I've almost run out of patience looking for a solution.
Thanks a lot.
Sorry for getting back to you a little late on this. We were out travelling since the kids were on vacation from school. Glad to be back at work, and back in the thick of AD, access and audits.
As for your question, yeah sure, we're using a tool called Gold Finger for Active Directory to enumerate nested group memberships in our AD deployment. Its a pretty slick tool that lets you view both "all members of a group" (including nested group memberships) as well as "all groups to which a user belongs" (also including based on any nested group memberships.)
One of the other things we like about it is that its made exporting memberships as well as documenting memberships pretty darn easy (, and if you ask me, almost too easy.)
Just Google "Gold Finger for Active Directory" and you should find it.
BTW, I believe its over at - www.paramountdefenses.com/goldfinger