If you aren't adverse to command line tools, check out memberof on the free win32 tools page of www.joeware.net.
It will rip through and find all group memberships within a domain and should also get Universal group memberships through out the domain as well. Output looks something like: [Mon 04/12/2004 19:52:17.30] F:\DEV\cpp\MemberOf>memberof -u joe\$jricha34 MemberOf V02.00.00cpp Joe Richards ([EMAIL PROTECTED]) February 2003 Group Memberships: [Local Security] [Administrators] CN=Administrators,CN=Builtin,DC=joe,DC=com [Global Security] [Domain Admins] CN=Domain Admins,CN=Users,DC=joe,DC=com [Global Security] [Domain Users] CN=Domain Users,CN=Users,DC=joe,DC=com [Universal Security] [Enterprise Admins] CN=Enterprise Admins,CN=Users,DC=joe,DC=com [Local Security] [Users] CN=Users,CN=Builtin,DC=joe,DC=com [Mon 04/12/2004 19:57:16.93] F:\DEV\cpp\MemberOf> Actually trying to work out a good efficient way to get memberships in all domains with default AD but it is a thorny problem. Best bet is to suck everything into an AD/AM and do queries across that. Alternatively go SQL though you get away from the ease of use and lightness of LDAP. joe ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen Sent: Monday, April 12, 2004 4:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to see users group membership in trusted domain The operators managing the users are not people that i would ask to use adsiedit. Yes please, I would like to know more about the tool. Ole Thomsen > -----Original Message----- > From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] > Sent: Saturday, April 10, 2004 3:05 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Unable to see users group membership in > trusted domain > > as mentioned, using the native tool the visibility depends on the > group types. and it seems like you preferr viewing the > group-memberships per user. from a child domain's GC you'll at least > be able to view the UG memberships of your parent domain via > ADSIEDIT.MSC => look at the memberOf attribute. > On a parent domain's GC you could then also use ADSIEDIT, configure it > to connect to the child domain's GC partition and view the properties > of user of your child domain the way that it's stored on the parent > domain's GC => in the memberOf attribute of the user you'll see the > UGs and DLG memberships of the parent domain. > > We're building a tool right now (basically done, but internal beta is > still running), that collects all this information (i.e. the links > between users and groups etc.) centrally into an SQL or MSDE database. > The tool then allows you to view all the groups that a user belongs to > in a forest in a nice UI (i.e. it will not only show you the > memberhips in the domain's own groups, but also all UGs and DLGs from > other domains in your forest). The main purpose though is not for > viewing these memberships - it is targeted at helping you > automatically restore the memberships in case you've lost them due to > restoring accidentally deleted objects in AD. > > Let me know if you want to know more and I'll put you on my list. > > /Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen > Sent: Samstag, 10. April 2004 12:51 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Unable to see users group membership in > trusted domain > > Thanks for saving my sanity, Guido, I have for days been seeking the > missing userright or setting in ADUC to show the memberships :-) > > Are there any easier method to show/set these memberships than > cruising through all the parent domain groups? > > And BTW, copying a user no longer copies the parent domain group > memberships - argh! > > Ole Thomsen > > > > -----Original Message----- > > From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] > > Sent: Friday, April 09, 2004 7:49 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Unable to see users group membership in > > trusted domain > > > > works as designed. Especially if you're using Domain Local Groups > > (DLG). But in 2003 you can even not see the UG memberships of other > > domains in ADUC. This will likely be "fixed" in SP1 as > only GCs would > > have the potential to show UG-memberships from other domains anyways > > (a filter was added in 2003 so that only groups of own domain > show up on > > the MemberOf tab of an object - in SP1 you're supposed to have a > > choice). > > > > Realize a "non-GC" DC doesn't know of the UG memberships of > the other > > domains and neither a DC nor a GC will show you the DLG > memberships of > > the other domains - as these are not replicated to the GC. > > > > And wait until you try to recover accidentally deleted users in your > > environment and recover them. Then not seeing the > memberships will be > > the least of your worries => they'll actually be missing from the > > other groups... Read this whitepaper if you want to know more: > > http://www.aelita.com/library/whitepapers/10_Things_to_Know_ab > > out_Active > > _Directory_Recovery.pdf > > > > /Guido > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen > > Sent: Mittwoch, 7. April 2004 00:37 > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Unable to see users group membership in trusted > > domain > > > > I have two AD domains, of which one is subdomain to the other. > > > > In the child domain, most users are members of a number of security > > groups in the parent domain. > > > > All was well until recently, but after raising the domain and forest > > level to 2003 i can no longer see the child domain users > parent domain > > membership under the user property "Member of". > Furthermore, from this > > property sheet i cannot add the user to parent domain > groups anymore. > > > > They are still members, everything works as expected, and i can add > > the users to groups from within the group property - but that is a > > hell of a job to cruise through the all groups everytime a user is > > created.... > > > > Please help :-) > > > > Ole Thomsen > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
