Click here to get back home

Ability to list groups member of a trusted domain is in

 HomeNewsGroups | Search | About
Login Password
Register Now! Lost Password?
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Ability to list groups member of a trusted domain is in Mike Matheny 07-26-2006
Get Chitika Premium
Posted by Mike Matheny on July 26, 2006, 12:30 pm
Please log in for more thread options
 We have around 10 trusted domains that we sometimes add users from into our
domain local groups. When a user from a trusted domain leaves, we need a way
to find out what groups in OUR domain he is a member of and remove him I
have not been able to find any way to do this (short of going through all
1000 of our groups manually!!), so that is why I am asking the experts!

--

Mike Matheny




Posted by Steven L Umbach on July 26, 2006, 1:51 pm
Please log in for more thread options
 You could try using dsget user -memberof from a Windows 2003 domain
controller. See the links below for use of that command and other helpful
commands that can often pipe the results of one command to the other to
automate tasks.

Steve

http://technet2.microsoft.com/WindowsServer/en/library/96a4a5ee-ee72-44d5-845f-71b2de33d4411033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/library/59bec076-01fe-4d09-8b4b-296e7fa9c5571033.mspx?mfr=true


"Mike Matheny" <mikemathenyathoustondotrrdotcom> wrote in message
> We have around 10 trusted domains that we sometimes add users from into
> our domain local groups. When a user from a trusted domain leaves, we need
> a way to find out what groups in OUR domain he is a member of and remove
> him I have not been able to find any way to do this (short of going
> through all 1000 of our groups manually!!), so that is why I am asking the
> experts!
>
> --
>
> Mike Matheny
>
>
>



Posted by Roger Abell [MVP] on July 26, 2006, 7:28 pm
Please log in for more thread options
That is, or certainly can be, a tough nut to crack.
What I try to use is:
1. never grant to users, not anything, not ever
2. allow users into a subset of the groups only
(I think of these as principal groups)
3. use grants for rights, resources, etc. with
groups defined for those purposes
(I think of these as resource groups)
4. use principal groups no where except to
populate resource groups
5. have and uphold a group naming convention so that
it is clear what group is a principal group, and what
the uses of the resource groups are (and use them
only that way)
Then, there is a limited subset of groups that need to
be periodically examined for accounts, and as a side
effect looking at the resource groups tells one immediately
what categories of users have that access.
For the examination I use script.
If one does not start out right one can quickly get a mess
on one's hands.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Mike Matheny" <mikemathenyathoustondotrrdotcom> wrote in message
> We have around 10 trusted domains that we sometimes add users from into
> our domain local groups. When a user from a trusted domain leaves, we need
> a way to find out what groups in OUR domain he is a member of and remove
> him I have not been able to find any way to do this (short of going
> through all 1000 of our groups manually!!), so that is why I am asking the
> experts!
>
> --
>
> Mike Matheny
>
>
>



Posted by Joe Richards [MVP] on July 27, 2006, 6:21 pm
Please log in for more thread options
If you have a single domain and the only thing you have to worry about
is domain local groups, this will be pretty easy....

You simply find the foreignSecurityPrincipal object that was created for
the foreign user, then look at the memberof attribute of that object.
Again, assuming you have a single domain forest and you are only worried
about domain local groups, every direct membership group will be listed
in that attribute.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Mike Matheny wrote:
> We have around 10 trusted domains that we sometimes add users from into our
> domain local groups. When a user from a trusted domain leaves, we need a way
> to find out what groups in OUR domain he is a member of and remove him I
> have not been able to find any way to do this (short of going through all
> 1000 of our groups manually!!), so that is why I am asking the experts!
>

Similar ThreadsPosted
How to list member of local admin February 6, 2008, 1:23 pm
Nesting domain groups under local groups March 18, 2007, 3:56 am
IAS authenticating users in trusted domain (server 2003 ent.) October 20, 2005, 1:04 pm
Trusted NT domain users have full access to 2K3 server shares January 23, 2007, 6:51 am
Should our web server be a domain member? April 7, 2006, 2:44 pm
Limiting the ability to create folders in network filing structure November 16, 2005, 12:56 pm
Issue cert to member of untrusted domain January 28, 2006, 9:31 am
W2K3 Member Server unable to resolve domain SIDs October 12, 2006, 11:56 am
plz help to creating a windows server 2003 domain member user April 7, 2007, 3:08 am
How to open LSA API on Win2k in order to determine if a computer is member of domain October 17, 2007, 5:45 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap