And to add to that, any users in DomainB who have group membership (recursively as well) in a group that has one of the sids in question.
I think that covers it? jlc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Joseph L. Casale Sent: Thursday, March 30, 2017 4:05 PM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] SID history report Hey guys, I am trying to automate a report that a user has been instructed to reproduce on a continued basis. Given a group "GroupA" in DomainA, I need to enumerate all users who have access implicitly through sIDHistory. Off the top of my head, does this miss anything: - Enumerate all members of GroupA in DomainA recursively. - Explicit users. - Members implied through explicit group membership (recursively as well). - Enumerate any users in DomainA whose sIDHistory collection contains one or more of any of the above SIDs. - Enumerate any users in DomainB whose sIDHistory collection contains one or more of any of the above cumulative SIDs. Does that cover it? Thanks, jlc