ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to enumerate all the members of a domain security group?


Member

Posts: 16
Date: May 25, 2011
How to enumerate all the members of a domain security group?
Permalink  
 


Hi all. I was hoping to get some help via this forum in regards to something we are trying to accomplish in our Active Directory environment.

In particular, we are in the midst of consolidating two forests, and as a part of the consolidation, we would like to enumerate all the members of our core domain security groups. We are looking for a way to be able to list the complete expanded nested group memberships of most of our Active Directory security groups.

Is there an efficient and reliable way in which to do this? We've tried scripting and PowerShell, but we end up with issues due to circular nested domain security group memberships.

Any input is appreciated.



__________________
Driod Rules!


Member

Posts: 10
Date: Jun 23, 2012
How to enumerate all the members of a domain security group?
Permalink  
 


Hi Jeremy,

We had a similar requirement a few weeks ago, although driven by different reasons, and too tried scripting, PowerShell and a few free Active Directory search utilities out there.

At the end of the day, we ended up wasting a lot of time trying to accomplish our goals, primarily because either the results we got from our scripts/PowerShell weren't always accurate (for larger groups)  or because in other cases, when the results of small groups, it took a lot of time to format them and present in the form we needed them to be delivered to management.

The large Active Directory group membership issue was not initially apparent, but became clear when we started writing scripts to get these group memberships. I believe only the first 1500 results would come back, even though more members were there in the group. 

In addition, we had a handful of circular nested group memberships in our Acitve Directory, and as a result, some queries would run infinitely. It took a fair amount of work to identify the cause, and we didn't quite know how to modify our queries to deal with it.

As for the free utilities we tried, apparently, it was written in some other country out there, and it was behaving oddly, so one of our internal devs attached a debugger to it, and found something akin to a back-door in it.

Since then, our management has instituted strict policies for all admins to not use free tools downloadable from the Internet, with the exception of those provided by Microsoft. 

As such, we ended up acquiring a 3rd party tool to fulfill this goal. Since then, documenting group memberships and delivering them in PDF format, has been a matter of touching a button.

In case you're interested, I'd be happy to let you know what we use.

Otherwise, you can always Google "nested security group memberships" and find something that can fulfill your needs to enumerate nested group memberships in your Active Directory environment.

-Jimmy



__________________
iPad Rocks!


Newbie

Posts: 4
Date: Jun 29, 2012
RE: How to enumerate all the members of a domain security group?
Permalink  
 


Jeremy,

Have you considered GroupID? Although it is a full-fledged group management solution, it could also help enumerate all the members of a domain security group.

Imtiaz.



__________________

Sr. Systems Admin focused on Windows Management



Member

Posts: 16
Date: Jul 20, 2012
RE: How to enumerate all the members of a domain security group?
Permalink  
 


Guys,

Thank you for your recommendations and pointers.

Imtiaz, thanks for pointing us to Group ID, but it seems to be a full-fledged solution of sorts - we just need a simple, easy way to enumerate group memberships natively.

Jimmy, yes if you could please let me know what tool you're using to enumerate all the members of Active Directory groups, that's be helpful.

Looking forward to your input.

Jeremy.



__________________
Driod Rules!


Member

Posts: 10
Date: Feb 5, 2013
RE: How to enumerate all the members of a domain security group?
Permalink  
 


Hi Jeremy,

Certainly. Happy to help. We're using this Active Direcory Audit Tool to fulfill our group membership reporting needs. Its been super helpful because it lets us enumerate all the members of any of our security group, including nested memberships, and we can easily generate a PDF report documenting the membership. So come Active Directory Audit time, furnishing group membership reports has become super easy.

One of the other things we like about is that it also lets us do the opposite i.e. enumerate all the security groups to which a given user belongs, and that's been very helpful as well, especially as we've started to take a look at some of our vendor accounts and their memberships.

By the way, not sure if you too face this issue, but this whole default membership in Authenticated Users thing is not very welcome because it gives almost everyone (i.e anyone with a domain account) access to so many of our Sharepoint portals and other files on file servers.

Anyways, I hope my input helps you. If you have any other questions, shoot me an email, or just ask.

Adios

Jimmy.



__________________
iPad Rocks!
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me