Group Accounts question

EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
in Server 70-290
I have created the following Global Security Groups :

1. Accounting and Finance in the Employees OU.
2. Management, Test and Human Resources in the Marketing OU.

There's a user (Dan Holme) in the Employees OU that's a member of all groups list above, but the TEST group. I have nested Test in the Finance global security group i.e. I have made Test a member of the Finance group.

Should Dan be a member of the Test group as well ?? I was reading MS Press' 290 book and it says he should be. But my AD says he isnt icon_confused.gif (I have refreshed the view too)
NSX, NSX, more NSX..

Blog >> http://virtual10.com
· Share on FacebookShare on Twitter

Comments

  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    I don't think he would be, but I think if you added him solely to the TEST group he would also be a member of the finance group
    · Share on FacebookShare on Twitter
  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    I don't think he would be, but I think if you added him solely to the TEST group he would also be a member of the finance group

    I was thinking the other way around, that he should be a member of the Test group if I added him to the Finance group because Test is a member of Finance.

    Anyways, I just tested by adding him to the Test group, but Finance membership didnt automatically show up. Tried it the other way too, doesnt work either...

    There's definitely something that I am not understanding.... icon_sad.gif
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
    · Share on FacebookShare on Twitter
  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    Anyone?
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
    · Share on FacebookShare on Twitter
  • undomielundomiel Member Posts: 2,818
    While it won't show in his profile that he is a member of the Finance group if you check group policy you'll see that he is treated as a member of the Finance group.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
    · Share on FacebookShare on Twitter
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    "I have made Test a member of the Finance group. "

    That means that the Test group is a member of the Finance group. That doesn't mean that the users of the finance group have any affiliation with test.

    Now if Dan was a member of the Test group and the Test group was a member of the finance group then Dan would be a member of both Test and Finance.
    My blog http://www.calegp.com

    You may learn something!
    · Share on FacebookShare on Twitter
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    AD GUI will only really show the groups he's directly a member of.

    Try the following:
    1. Log on to the user and type: WHOAMI /groups
    2. Log on as an Administrator and type: DSQUERY USER -samid loginname | DSGET USER -memberof -expand

    I'm not sure if #1 will show nested membership but #2 definitely will due to the -expand.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    MobilTech wrote:
    I was thinking the other way around, that he should be a member of the Test group if I added him to the Finance group because Test is a member of Finance.

    So he and the Test group are both members of Finance? He wouldn't be a member of a test. What if Test had access to other resources that he wasn't supposed to have access to? He's not going to automatically be made a member of any other groups that are also members of the same group he is.
    MobilTech wrote:
    Anyways, I just tested by adding him to the Test group, but Finance membership didnt automatically show up. Tried it the other way too, doesnt work either...

    There's definitely something that I am not understanding.... icon_sad.gif

    Finance isn't going to appear on the "Member Of" tab since he isn't explicitly a member of Finance. Run this command to see all the groups he actually belongs to (substitute the name of your domain for domainName):

    dsget user "CN=Dan Holme,OU=Employees,dc=domainName,dc=com" -memberof -expand

    edit: It looks like this has already been resolved. Freakin' coworkers distracting me with "work" and delaying my posts icon_lol.gif
    · Share on FacebookShare on Twitter
  • undomielundomiel Member Posts: 2,818
    Confirmed, whoami /groups will show nested group memberships. Didn't know that one before, thanks royal.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
    · Share on FacebookShare on Twitter
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    undomiel wrote:
    Confirmed, whoami /groups will show nested group memberships. Didn't know that one before, thanks royal.

    Good deal. Glad it worked. It really would be nice if you can allow ADUC to show nested membership.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    +1 for Royal

    Learn something new everyday :)
    · Share on FacebookShare on Twitter
  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    You guys are gems, thank you for all the responses. Geez, I seem to learn more when I post/browse this forum than when studying myself or at work...!!
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
    · Share on FacebookShare on Twitter
Sign In or Register to comment.