4

There are various ways to either list all users & groups belonging to a group (or via gui), or conversely list all groups a group or user belongs to...

However, I am in a position where I wish to know whether a group (My Group) directly or indirectly contains a particular user (jsmith), e.g.

  • Yes, jsmith is a member of My Group or one of its members (recursively); or
  • No, jsmith is not a member of My Group or any of its members (recursively).

I don't need to enumerate all possible users of the group (unless that's the most efficient way to do it).

It would be a bonus if it indicated the heirarchy through which the membership arises, e.g.

  • My Group contains Some Other Group, which contains Some Team Group, which contains jsmith; or

  • My Group contains Poorly Maintained Group, which contains Domain Users, which contains jsmith.

What would be the best way to answer either of these questions?

Community
  • 1
Stobor
  • 636
  • 5
  • 12
  • Using what mechanism? vbscript? wmi? ldap? other? – Joel Coel Jan 03 '12 at 03:48
  • Additionally, what language would you use to access the mechanism? – Andrew M. Jan 03 '12 at 04:24
  • Whilst not the answer you are looking for, a quick one off way of testing this is to set a permission somewhere on your local file system in a temporary location using the group, then use the `effective permissions` tool to see if the permission applies to the user in question. – Bryan Jan 03 '12 at 12:07
  • @JoelCoel I'm happy to use any mechanism available; I need it to do point lookups when specific issues arise, so whatever tool or language does it best is fine with me. – Stobor Jan 03 '12 at 22:58
  • @Redmumba I would be using it interactively, so I'm not concerned about language. If it's only available as an API, I could write a program/script to access it, but if it's a gui or command-line tool, that's okay too. – Stobor Jan 03 '12 at 23:00

1 Answers1

1

There is the calculated attribute in Active Directory "tokenGroups" that returns SIDs of all groups the user belong to.

begemot
  • 76
  • 3
  • +1 That looks like what I want... Will test it later today... – Stobor Jan 03 '12 at 23:06
  • I haven't been able to test this (haven't been around an AD last week), but google suggests that it would do the right thing. I haven't forgotten about this, will come back to accept it soon. – Stobor Jan 09 '12 at 04:25