SuperGumby
Thu Jul 31 17:18:11 CDT 2003
hmmm, not the first useful thing I've seen from Joe.
tks for the pointer.
"Garry Martin" <garrymartin@hotmail.com> wrote in message
news:OOuewG4VDHA.1600@TK2MSFTNGP09.phx.gbl...
>
http://www.joeware.net/win32/index.html
> <snip>
>
> MemberOf - How do you handle enumerating the groups a user has in Active
> Directory? Especially when there could be n levels of nesting going on
with
> possible recursive nesting. I was wondering that myself... I checked out
> Microsoft's Resource Kit Tool ifmember and it doesn't enumerate nested
> groups unless the nesting is the old NT way of nesting Global groups into
> Local Groups. Well I sat down this morning and worked out a solution.
> MemberOf is the solution, if you just run it it will give you the groups
> that the current process security context user has. You can specify a
> different user if you would like. If you use the -h switch you can see
usage
> help. Here is a little sample run:
>
>
>
> G:\Dev\cpp\MemberOf>memberof -u joehome\test2
>
> MemberOf V02.00.00cpp Joe Richards (joe@joeware.net) February 2003
>
> Group Memberships:
> [Global Security] [Domain Users] CN=Domain
> Users,CN=Users,DC=joehome,DC=com
> [Global Security] [GGroup1] CN=GGroup1,OU=Test,DC=joehome,DC=com
> [Global Security] [GGroup2] CN=GGroup2,OU=Test,DC=joehome,DC=com
> [Local Security] [TestGroup2] CN=TestGroup2,OU=Test,DC=joehome,DC=com
> [Local Security] [Users] CN=Users,CN=Builtin,DC=joehome,DC=com
> [Local Security] [testgroup1] CN=testgroup1,OU=Test,DC=joehome,DC=com
> [Local Security] [testgroup3] CN=testgroup3,OU=Test,DC=joehome,DC=com
> This program could be used in a logon script to check if a user is in a
> specific group in the following way:
>
> @echo off
> memberof -q | find /i "[domain admins]" >null
> if %ERRORLEVEL%*==0* echo "User is member of domain admins"
> if %ERRORLEVEL%*==1* echo "User is not a member of domain admins"
> This program works by enumerating the MemberOf attribute of a userid hence
> the name, this means that the program would only display group memberships
> which would be in this attribute and that includes Global/Local Groups of
> the user's domain and Universal Groups of the user's Forest. For some
> reason, MS doesn't include the user's Primary group in the MemberOf
> attribute so the program by default will go figure out that group on the
> side. If you want to disable this feature you can specify -np on the
command
> line.
> Update: Version 2.00.00 - Complete rewrite. I was alerted to some bugs
with
> Universal groups which made me look at the whole thing again. Will only
> currently enumerate groups that are in the direct nesting pathing. I
intend
> to make it find all group memberships across a forest eventually.
> [Version: 2.00.00, Date: 02/25/2003]
>
> </snip>
>
> --
> Garry Martin
>
>
> "SuperGumby" <not@your.nellie> wrote in message
> news:uxIjS5wVDHA.2340@TK2MSFTNGP10.phx.gbl...
> > ARRRRRRGGGHHH, now that I've fixed the problem I can admit my mistake.
> (and
> > add something to my wishlist)
> >
> > it was my home system, BTW.
> >
> > I had made the user a member of a group which was a member of
> > 'Administrators'. Now my wishlist includes a view of the AD and linked
> > dependencies.
> >
> > tks ur thts Kev & Mark
> >
> > "SuperGumby" <not@your.nellie> wrote in message
> > news:eShYmSwVDHA.3404@tk2msftngp13.phx.gbl...
> > > Which policy disallows ordinary users from logging on to a TS on SBS
> with
> > TS
> > > in admin mode? pls.
> > >
> > > I've checked local, domain & domain controller security policies and
> > cannot
> > > see why an ordinary user IS able to logon to one SBS but is not (as
> > > expected) able to logon to another.
> > >
> > > TIA
> > >
> > >
> >
> >
>
>