Group Accounts question

I have created the following Global Security Groups :

1. Accounting and Finance in the Employees OU.
2. Management, Test and Human Resources in the Marketing OU.

There's a user (Dan Holme) in the Employees OU that's a member of all groups list above, but the TEST group. I have nested Test in the Finance global security group i.e. I have made Test a member of the Finance group.

Should Dan be a member of the Test group as well ?? I was reading MS Press' 290 book and it says he should be. But my AD says he isnt

(I have refreshed the view too)

Find more posts tagged with

Comments

gojericho0

I don't think he would be, but I think if you added him solely to the TEST group he would also be a member of the finance group

Essendon

I don't think he would be, but I think if you added him solely to the TEST group he would also be a member of the finance group

I was thinking the other way around, that he should be a member of the Test group if I added him to the Finance group because Test is a member of Finance.

Anyways, I just tested by adding him to the Test group, but Finance membership didnt automatically show up. Tried it the other way too, doesnt work either...

There's definitely something that I am not understanding....

Essendon

Anyone?

undomiel

While it won't show in his profile that he is a member of the Finance group if you check group policy you'll see that he is treated as a member of the Finance group.

Mishra

"I have made Test a member of the Finance group. "

That means that the Test group is a member of the Finance group. That doesn't mean that the users of the finance group have any affiliation with test.

Now if Dan was a member of the Test group and the Test group was a member of the finance group then Dan would be a member of both Test and Finance.

royal

AD GUI will only really show the groups he's directly a member of.

Try the following:
1. Log on to the user and type: WHOAMI /groups
2. Log on as an Administrator and type: DSQUERY USER -samid loginname | DSGET USER -memberof -expand

I'm not sure if #1 will show nested membership but #2 definitely will due to the -expand.

dynamik

MobilTech wrote:

I was thinking the other way around, that he should be a member of the Test group if I added him to the Finance group because Test is a member of Finance.

So he and the Test group are both members of Finance? He wouldn't be a member of a test. What if Test had access to other resources that he wasn't supposed to have access to? He's not going to automatically be made a member of any other groups that are also members of the same group he is.

MobilTech wrote:

Anyways, I just tested by adding him to the Test group, but Finance membership didnt automatically show up. Tried it the other way too, doesnt work either...

There's definitely something that I am not understanding....

Finance isn't going to appear on the "Member Of" tab since he isn't explicitly a member of Finance. Run this command to see all the groups he actually belongs to (substitute the name of your domain for domainName):

dsget user "CN=Dan Holme,OU=Employees,dc=domainName,dc=com" -memberof -expand

edit: It looks like this has already been resolved. Freakin' coworkers distracting me with "work" and delaying my posts

undomiel

Confirmed, whoami /groups will show nested group memberships. Didn't know that one before, thanks royal.

royal

undomiel wrote:

Confirmed, whoami /groups will show nested group memberships. Didn't know that one before, thanks royal.

Good deal. Glad it worked. It really would be nice if you can allow ADUC to show nested membership.

gojericho0

+1 for Royal

Learn something new everyday

Essendon

You guys are gems, thank you for all the responses. Geez, I seem to learn more when I post/browse this forum than when studying myself or at work...!!