Hi,
After seeing several posts on this subject, I decided to
create an ADUC SnapIn to give you this functionality (yes, it's free to use :)
I am open to suggestion on how to improve on it as well, so
let me know if you have any.
Tabs that are included in the DLL:
==============================
Sid/Sid History: Displays the Security Identifier for the user (somehow this is missed in all property sheets :) - Also displays the domain\account of SIDs located in the sidHistory attribute of the object.
Sid/Sid History: Displays the Security Identifier for the user (somehow this is missed in all property sheets :) - Also displays the domain\account of SIDs located in the sidHistory attribute of the object.
Group Memberships: Displays the domain\account of all sids
in the following user/computer attributes: tokenGroups,
tokenGroupsGlobalAndUniversal, tokenGroupsNoGCAcceptable
Basically, the SWADSnapIn.dll is an ADUC extension DLL that
has to be registered on your computer and the GUID has to be place in the
Display Specifier for users (and optionally groups and
computers).
I didn't have the time to write an LDIF or VB script to
modify those values, I'll leave that up to someone else in the list
:)
There are installation instructions in the zip file you can
download from here:
All the
best,
Brian Small
President
======================
[EMAIL PROTECTED]
http://www.smallwonders.com
407.647.4555
: voice
407.647.9029 : fax
======================
IMPORTANT - This
e-mail message (and attachments) may contain information that is confidential to
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Tuesday, November 18, 2003 9:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain
Ah...
See now that is how MS intended it all along.... well once they realized
they needed GC's at all... Well actually they intended single domains in a
single forest, just ask the Exchange guys. :op
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isham, Alan A
Sent: Tuesday, November 18, 2003 10:56 AM
To: [EMAIL PROTECTED]
For the record :D, all our DC's are GC's
...
Alan A Isham
Messaging and Active
Directory Engineering
Intel Corporation in Folsom,
California
916-356-3657
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Monday, November 17, 2003 5:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain
Yeah
but unless all of your DC's are GC's, there is a good chance of seeing
inconsistent results. That is even harder to explain to users.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isham, Alan A
Sent: Monday, November 17, 2003 1:41 PM
To: [EMAIL PROTECTED]
Joe, thanks for the reply.
Similarly, Intel has developed a command line tool to
enumerate all group memberships, but for mass consumption by the "office worker"
community, you can't beat an out of box, graphical user interface solution
from Microsoft. Yes, I did say that.
Alan A Isham
Messaging and Active
Directory Engineering
Intel Corporation in Folsom,
California
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Saturday, November 15, 2003 6:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain
I
wasn't even aware that the new aduc did that, shows you how much I use the
GUI... :op
I am
actually glad it is like that though I could see a slightly better
implementation (obviously). The reason behind me liking it is for the
consistency. I think the better way to do it would be to have another window
that shows detected non-local domain memberships or at least highlight them with
some coloring and have some sort of blurb that explains that these can be
inconsistently displayed depending on the focus of the GUI. Note that if you
could point aduc at the GC partition of a user on a GC of a domain the user
isn't a member of, you could display the users global and DL group memberships
on that domain. We use that hack for a couple of our UNIX applications so they
don't need Uni's but can still use GC's for retrieving the group memberships
that are important to their app.
I
would really really rather see a way for MS to populate some new attribute with
ALL group memberships irregardless of location in forest. I realize that there
are some implementation details there that are involved but think it would be
immensely worth it.
On the
side Alan, if you haven't done so already, go look for memberof on my web site
(www.joeware.net). It is a command line
tool that will show you everything in your memberof attribute as well as your
primary group and then will start chasing back through nesting for you.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Friday, November 14, 2003 4:59 PM
To: [EMAIL PROTECTED]
Hello Alan, I can see that you won't like this -
it goes without saying, that you're talking about Universal Groups
from other domains in your forest - correct?
In 2000, when connected to a GC, ADMU would display your UG
memberships even when they're from a different domain (as a GC would create the
appropriate BackLinks to your AD account). However, when you connect to
"just" a DC, you would not see these memberships either (as the DC has no clue
of the UGs of another Domain). Ofcourse, even a GC has no idea, which
Domain Local Groups in other domains you are a member of, as
the members of DLGs are not replicated to GCs....
The 2k3 version of ADMU is somewhat more consistent, in
that it ONLY displays your memberships of groups in the SAME domain that you're
connected to. Not so nice, if you've got used to seeing the other UGs on
your GCs, but maybe more consistend overall.
However, don't forget, that the BackLinks to your AD
accounts still exist on a GC - you can see them by checking the memberOf
attribute of the account using other LDAP tools, such as ADSIedit. Here
you will also see the UGs of the "foreign" domains in your
forest.
This bug is a feature - if you don't like it, let me know -
as I also don't like it... and I'm talking to the MS PM about this for sometime
already - but I'm sure you can add some weight to it with a mail to A.L.
yourself as well ;-). Anyone else don't like this "update" ?
;-))
Cheers,
Guido
From: Isham, Alan A [mailto:[EMAIL PROTECTED]
Sent: Freitag, 14. November 2003 17:46
To: [EMAIL PROTECTED]
Subject: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain
Anyone have a known
workaround for the issue below?
I installed MMC Active Directory Users and Computers from
Windows Server 2003 (version 5.2.3790.0) on a new desktop. I can no longer
view groups I am a member of in groups that reside outside of my local domain
like I could with Windows 2000 (version 5.1.3590.0). I've searched MSDN
and Microsoft Support, but don't find any hacks to
resolve.
For example,
User account is amr\jdoe
amr\jdoe is a member of amr\group1, gar\group2,
ger\group3
In MMC AD UC Windows 2000 version 5.1.3590.0, I see the
following:
Doe, John Properties
Member of:
Name Active Directory
Folder
Group1 amr.corp.company.com/blah, blah,
blah
Group2 gar.corp.company.com/blah, blah,
blah
Group3 ger.corp.company.com/blah, blah,
blah
In MMC AD UC Windows Server 2003 version 5.2.3790.0, I see the
following:
Doe, John Properties
Member of:
Name Active Directory
Folder
Group1 amr.corp.company.com/blah, blah,
blah
Where is
Group2 and
Group3???
Thanks for your
help!
Alan A Isham
Active Directory
Engineering
Intel Corporation in Folsom,
California
