RE: [ActiveDir] Groups membership question

[Aaron Steele]

Joe, you are a god  among men. Thank you a ton for explaining this to me in such a clear and concise way.   /aaron   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 11, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Groups membership question   The users from Domain B in the Domain A groups will be represented as FSPs (remember you are outside of your forest). So there will be no direct linkage capability to do this in any single query.    In order to find the memberships of a Domain B user (userDomB) in Domain A, you will need to find the FSP for userDomB in Domain A and then look at the memberships of that FSP. This you can either do by looking at the memberof attribute of the FSP or doing a query against Domain B.    So you could do something like   adfind -b DN_FOR_DOM_A  -f name=userDomB_SID memberof     You always hear that SIDs go into groups and that is what is stored, yes, except for AD groups, those store DNs, that is why you can add OU's or Contacts or printers or any kind of object you want to an AD group but can't do the same on a machine that uses a registry based SAM DB and why you have to use FSPs for references to objects outside of the local forest.     joe   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Steele Sent: Wednesday, October 11, 2006 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Groups membership question I have one for you guys. I have been puzzling over for a while. Seems simple, but I haven’t found a good solution.   Domain A one way trusts Domain B   Group in Domain A, contains members from Domain B.   Enumerate groups in Domain A, include membership for all members in Domain B. Or for the real answer.  Find user in Domain B, and tell me all group memberships from Domain A and Domain B.   Any ideas? I’ve tried adfind queries, I’ve visited the windows scripting center and am at a loss.   Thanks for your help.   /aaron   Aaron Steele Mobile: 773.580.8099 [EMAIL PROTECTED] Main: 312.334.1900    Fax: 312.224.4789 _____________________ pointbridge.com -   Microsoft’s 2005 Advanced Infrastructure Partner of the Year -   Microsoft’s 2005 Exchange Solution of the Year Winner