The world's most trusted forum on Active Directory Security
We are trying to help our clients check/verify delegations in Active Directory. As a part of this, one of the things we have been doing is trying to enumerate the membership of all default administrative groups in Active Directory (e.g. Domain Admins, Enterprise Admins, Server Operators, Accounts Operators etc.)
In our efforts to try and do this, we have found it to be a bit cumbersome to do this, mainly because of group nesting i.e. many of these groups have groups that are nested within them, and in a few cases, our scripts went into infinite loops as it turned out that some of these nested groups were nested into each other.
So I was wondering if there is an easy way to enumerate and document the membership of administrative groups in Active Directory?
If anyone knows of an easy, reliable and efficient way to do this, I would sincerely be helpful if you could let me know how you are doing this, as its a bit too complicated for us to do as of now.
Thanks for your help.
"These young guys are playing checkers. I'm out there playing chess" - Kobe Bryant