However what if your security group has nested groups and users. Then those nested groups may also have additional nested groups and users. What does that query look like? How do you find all the members?

Suppose I have the following Example




•TopLevelGroup -- Global Security Group



◦TopLevel -- User

◦TopLevel2 - User2

◦Nested1 - Global Security Group

Nested1 Members

■Nested User

■Nested User 2

■InsideNested - Global Security Group

InsideNested Members

■InsideNested1





There are several ways to do this, I'm not saying these are the only methods but these are three examples that work.

The first method is to use the PowerShell. For this example you will need the Quest AD Cmdlets. Thanks to MVP Dmitry Sotnikov for the Quest cmdlets.

Get-QADGroupMember "Group Name" -indirect



The second method is using ADFIND by MVP Joe Richards

adfind -default -bit -f "memberof:1.2.840.113556.1.4.1941:=DN of Group" samaccountname -nodn



More on that query here


Now on to method three. Some people (especially in classified networks) can't install the Quest cmdlets or adfind (or any third party tool)

The Microsoft DStools can be used. For this example I'll use dsquery and dsget

dsquery group -samid "group name" | dsget group -members -expand





موضوعات مشابه: