Hi,
I’ve recently started working in an environment where the AD is a bit of a mess, with too much access given to the wrong accounts all over the place. We have admin accounts that are in groups that are nested across the network where they shouldn’t be. All of our admin accounts have ‘admin’ somewhere in the name, so I want to try and find groups that contain accounts that have ‘admin’ in the name, where they sit in a group alongside other non-admin accounts (so for example if we have an account called ‘admin1’, I want to identify where that is in a group with accounts that don’t have ‘admin’ in the account name).
It’s not seeming particularly simple…does anyone have any ideas please?
Membership in a group is stored as an attribute of the group, not of the user, which can make this kind of query more difficult. Further, because membership lists can obviously be huge, they’re not indexed for searching within the AD database. I suspect you’re going to have to enumerate every group, and then enumerate every member.
Alternately, user objects do have a “memberOf” shortcut property that lets you see which groups the user is a member of. You could query the known admin users, and then enumerate their group membership.
But there isn’t an easy, one-liner way of doing this, no. AD isn’t the kind of relational DB that would make this straightforward.