Thanks Joe, this is very useful to us, while waiting for ADUC in SP1 to show the info :-)
Ole Thomsen > -----Original Message----- > From: joe [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 13, 2004 1:59 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Unable to see users group membership > in trusted domain > > If you aren't adverse to command line tools, check out > memberof on the free > win32 tools page of www.joeware.net. > > It will rip through and find all group memberships within a domain and > should also get Universal group memberships through out the > domain as well. > > > > Output looks something like: > > [Mon 04/12/2004 19:52:17.30] > F:\DEV\cpp\MemberOf>memberof -u joe\$jricha34 > > MemberOf V02.00.00cpp Joe Richards ([EMAIL PROTECTED]) February 2003 > > Group Memberships: > [Local Security] [Administrators] > CN=Administrators,CN=Builtin,DC=joe,DC=com > [Global Security] [Domain Admins] CN=Domain > Admins,CN=Users,DC=joe,DC=com > [Global Security] [Domain Users] CN=Domain > Users,CN=Users,DC=joe,DC=com > [Universal Security] [Enterprise Admins] CN=Enterprise > Admins,CN=Users,DC=joe,DC=com > [Local Security] [Users] CN=Users,CN=Builtin,DC=joe,DC=com > > [Mon 04/12/2004 19:57:16.93] > F:\DEV\cpp\MemberOf> > > > Actually trying to work out a good efficient way to get > memberships in all > domains with default AD but it is a thorny problem. Best bet > is to suck > everything into an AD/AM and do queries across that. > Alternatively go SQL > though you get away from the ease of use and lightness of LDAP. > > > joe > > > > ------------- > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen > Sent: Monday, April 12, 2004 4:13 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Unable to see users group membership > in trusted > domain > > The operators managing the users are not people that i would > ask to use > adsiedit. > > Yes please, I would like to know more about the tool. > > Ole Thomsen > > > > -----Original Message----- > > From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] > > Sent: Saturday, April 10, 2004 3:05 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Unable to see users group membership in > > trusted domain > > > > as mentioned, using the native tool the visibility depends on the > > group types. and it seems like you preferr viewing the > > group-memberships per user. from a child domain's GC > you'll at least > > be able to view the UG memberships of your parent domain via > > ADSIEDIT.MSC => look at the memberOf attribute. > > On a parent domain's GC you could then also use ADSIEDIT, > configure it > > to connect to the child domain's GC partition and view the > properties > > of user of your child domain the way that it's stored on the parent > > domain's GC => in the memberOf attribute of the user you'll see the > > UGs and DLG memberships of the parent domain. > > > > We're building a tool right now (basically done, but > internal beta is > > still running), that collects all this information (i.e. the links > > between users and groups etc.) centrally into an SQL or > MSDE database. > > The tool then allows you to view all the groups that a user > belongs to > > in a forest in a nice UI (i.e. it will not only show you the > > memberhips in the domain's own groups, but also all UGs and > DLGs from > > other domains in your forest). The main purpose though is not for > > viewing these memberships - it is targeted at helping you > > automatically restore the memberships in case you've lost > them due to > > restoring accidentally deleted objects in AD. > > > > Let me know if you want to know more and I'll put you on my list. > > > > /Guido > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen > > Sent: Samstag, 10. April 2004 12:51 > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Unable to see users group membership in > > trusted domain > > > > Thanks for saving my sanity, Guido, I have for days been > seeking the > > missing userright or setting in ADUC to show the memberships :-) > > > > Are there any easier method to show/set these memberships than > > cruising through all the parent domain groups? > > > > And BTW, copying a user no longer copies the parent domain group > > memberships - argh! > > > > Ole Thomsen > > > > > > > -----Original Message----- > > > From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] > > > Sent: Friday, April 09, 2004 7:49 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Unable to see users group membership in > > > trusted domain > > > > > > works as designed. Especially if you're using Domain > Local Groups > > > (DLG). But in 2003 you can even not see the UG > memberships of other > > > domains in ADUC. This will likely be "fixed" in SP1 as > > only GCs would > > > have the potential to show UG-memberships from other > domains anyways > > > (a filter was added in 2003 so that only groups of own domain > > show up on > > > the MemberOf tab of an object - in SP1 you're supposed to have a > > > choice). > > > > > > Realize a "non-GC" DC doesn't know of the UG memberships of > > the other > > > domains and neither a DC nor a GC will show you the DLG > > memberships of > > > the other domains - as these are not replicated to the GC. > > > > > > And wait until you try to recover accidentally deleted > users in your > > > environment and recover them. Then not seeing the > > memberships will be > > > the least of your worries => they'll actually be missing from the > > > other groups... Read this whitepaper if you want to know more: > > > http://www.aelita.com/library/whitepapers/10_Things_to_Know_ab > > > out_Active > > > _Directory_Recovery.pdf > > > > > > /Guido > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Ole Thomsen > > > Sent: Mittwoch, 7. April 2004 00:37 > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Unable to see users group membership > in trusted > > > domain > > > > > > I have two AD domains, of which one is subdomain to the other. > > > > > > In the child domain, most users are members of a number > of security > > > groups in the parent domain. > > > > > > All was well until recently, but after raising the domain > and forest > > > level to 2003 i can no longer see the child domain users > > parent domain > > > membership under the user property "Member of". > > Furthermore, from this > > > property sheet i cannot add the user to parent domain > > groups anymore. > > > > > > They are still members, everything works as expected, and > i can add > > > the users to groups from within the group property - but > that is a > > > hell of a job to cruise through the all groups everytime > a user is > > > created.... > > > > > > Please help :-) > > > > > > Ole Thomsen > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
