• State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 2840 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attestation - Nesting of AD Groups

Wolfgang Zwerch
over 7 years ago

Hi,
tried to define an attestation showing all AD accounts which have \builtin\groups\Administrators rights. The difficulty is that accounts are not assigned directly to this group, instead multi level of nesting is used.
Any recommendation how to solve this?

Thanks !

  • 0 over 7 years ago

    Hi Wolfgang,

    the following SQL demonstrates how to use the ADSGroupCollection to fetch all account membership in the builtin Administrators group of a domain.

    HTH

    SELECT * from dbo.ADSAccountInADSGroup aia  
WHERE UID_ADSGroup in
(
    SELECT UID_ADSGroupChild FROM ADSGroupCollection agc
    JOIN adsgroup ag ON agc.UID_ADSGroupParent = ag.UID_ADSGroup
    WHERE ag.DistinguishedName='CN=Administrators,CN=Builtin,DC=IAM,DC=local'
)

    Markus