Active Directory groups make managing access and assigning permissions in a domain much more manageable. You can add one AD group to others. These are called nested Active Directory groups. Nested groups are a convenient way to manage access in AD based on business roles.
But, when diagnosing permission issues, administrators may find that nested groups are the source of the problem. Problems with nested groups often arise when diagnosing denying access rules and Group Policies.
In this article, we will show you how to determine which nested groups a user is a member of. We’ll also show how to get the nested members of a group.
Table of Contents
Direct vs. Nested AD Group Membership
In Active Directory, group membership can be managed in two primary ways: direct group membership and nested group membership. Let me explain each of them.
Direct Group Membership
Direct group membership refers to adding individual user accounts directly to a group. With this method, users are explicitly added as members of a group. Users who are directly added to a group gain the permissions and access rights associated with that group.
For example, Daniel Taylor’s “Member Of” user property shows it is a direct member of four groups: CA DevOps, CA Server Admins, CA User Admins, and Domain Users.
This method is simple, but it can become cumbersome to manage if you have complex access control requirements or a large number of users.
Nested Group Membership
Nested group membership involves adding groups as members of other groups. With this method, you can create a hierarchy of groups where groups can be nested within one another. Users are added to the nested groups, and by extension, they inherit the permissions and access rights of the parent groups.
This approach provides a more flexible and scalable way to manage group membership. Changes to group membership at the higher levels of the hierarchy can automatically propagate to the nested groups, simplifying management.
The challenge with nested group membership is you cannot readily view the hierarchy using the usual tool — Active Directory Users and Computer snap-in (dsa.msc). You must open each group to find out if it is a member of another group and so on.
The example below shows Daniel Taylor is a direct member of four groups, including CA Server Admins. As you open each group, you find it is a member of another group. Daniel Taylor’s account is nested under three Active Directory groups in this case.
Medium to large organizations can have hundreds or thousands of AD groups, which can be nested under multiple layers of other AD groups. Imagine the effort it would take to look them all up this way.
But don’t worry; there are ways to find Active Directory nested group members and memberships, and we will show you how.
Find Active Directory Nested Group Members with DSGET
The dsget command is a command-line tool specific to Windows Server operating systems. It is used to retrieve specific properties of objects within the Active Directory domain.
The syntax for the dsget command is as follows:
dsget <object> <objectDN> [-<attribute>]
Following that syntax, you can query a user or group object and return their members of memberof attributes.
Find a User’s Nested Group Membership
Let’s run this command to get Daniel Taylor’s direct group memberships. The -memberof switch at the end represents the attribute we want to retrieve.
dsget user "CN=Daniel Taylor,OU=Users,OU=California,OU=USA,DC=theitbros,DC=com" -memberof
The result below shows the user’s direct group memberships only. You can see in this example that the user is a member of four AD groups.
Add the -expand switch to the same command to include the nested AD groups.
dsget user "CN=Daniel Taylor,OU=Users,OU=California,OU=USA,DC=theitbros,DC=com" -expand -memberof
The result will include the nested AD group memberships. This time, the result shows seven AD groups.
Find a Group’s Nested Group Members
This time, let’s use dsget to find the nested group members of a parent group. The command below retrieves the direct members of the USA IT Ops security group.
dsget group 'CN=USA IT Ops,OU=USA,DC=theitbros,DC=com' -members
The command returned the group’s direct members because we used the -members switch to retrieve the members attribute.
You must add the -expand switch to include the nested group members.
dsget group 'CN=USA IT Ops,OU=USA,DC=theitbros,DC=com' -expand -members
Find Active Directory Nested Group Members with PowerShell
The PowerShell Active Directory module contains cmdlets for managing the Active Directory. Some of these cmdlets are useful to get Active Directory nested group members and membership.
Find a User’s Nested Group Membership
The Active Directory PowerShell module does not have a single cmdlet to get a user’s direct and nested group memberships. The Get-ADUser cmdlet returns the AD user object and its MemberOf property containing its direct group memberships.
(Get-ADUser dtaylor -Properties memberof).MemberOf
If you also prefer to list the nested member groups, even the empty ones, you need to use the special extensible LDAP filter option LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941). This filter finds nested groups and searches for a match along the entire chain from the root (available starting from Windows Server 2003 SP2).
In Active Directory, the LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941) is a matching rule used in Lightweight Directory Access Protocol (LDAP) searches. It is designed explicitly for querying recursive membership in Active Directory groups.
When performing a regular LDAP search, the default behavior is to search for objects that directly match the specified criteria. But, with LDAP_MATCHING_RULE_IN_CHAIN, the search is extended to include the target object and any nested objects within it.
This allows you to find objects that are members of a specific group, directly or indirectly, through nested group membership.
For example, run the below command to find all direct and indirect group memberships of the Daniel Taylor user account. This command uses the Get-ADGroup cmdlet and applies the LDAPFilter parameter.
Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=CN=Daniel Taylor,OU=Users,OU=California,OU=USA,DC=theitbros,DC=com)" | Select-Object Name, DistinguishedName
The result now shows all direct and indirect group memberships of the user.
Find a Group’s Nested Group Members
The Get-ADGroupMember cmdlet lists the members of an Active Directory group. For example, this command lists the USA IT Ops group members.
Get-ADGroupMember -Identity 'USA IT Ops' | Select-Object Name,objectClass,distinguishedName
But the output only shows the direct members.
Add the -Recursive switch to the command to show the nested members.
Get-ADGroupMember -Identity 'USA IT Ops' -Recursive | Select-Object name,objectClass,distinguishedName
You’ll notice that the result shows only the AD objects with no child objects. In this case, the result only showed the user account. There will be no information about nested groups among the output results.
But it doesn’t mean we cannot display the nested groups. We need to be creative with using PowerShell. In this example, let’s create a PowerShell function called Get-AdGroupNestedMember.
Copy the code below, paste it into your PowerShell window, and press Enter. You may also download this code from this Gist.
Function Get-AdGroupNestedMember {
[CmdletBinding()]
param (
[Parameter(Mandatory)]
[Microsoft.ActiveDirectory.Management.ADGroup]
$Identity,
[Parameter()]
[switch]
$ShowTop
)
try {
$group = Get-ADGroup -Identity $Identity -ErrorAction Stop
if ($ShowTop) {
$group
}
$members = Get-ADGroupMember $group -ErrorAction Stop
# Loop through the members
foreach ($member in $members) {
# Check if the member is a group
if ($member.objectClass -eq "group") {
# Recursively call the function for nested groups
Get-AdGroupNestedMember -Identity $member.Name -ShowTop
}
else {
# Output
$member
}
}
}
catch {
$_.Exception.Message | Out-Default
return $null
}
}
Once the Get-AdGroupNestedMember function is added to your session, run the below command to call the function. This example will get all direct and indirect nested USA IT Ops group members.
Get-AdGroupNestedMember -Identity 'USA IT OPS' | Select-Object Name,ObjectClass,DistinguishedName
Now you have a PowerShell wrapper to find Active Directory nested group members.
Conclusion
Finding and managing Active Directory nested group members is crucial for administrators seeking to efficiently manage user access and permissions within their organizations. This blog post showed how you could easily navigate through nested group structures and produce a comprehensive list of all the members, including those nested deep within the hierarchy.
We explored different methods for finding nested group members, starting with manual approaches using PowerShell commands and LDAP queries. While these methods require some technical expertise, they offer flexibility and customization options.
With the appropriate knowledge and tools at your disposal, finding Active Directory nested group members becomes an achievable and manageable task. By leveraging PowerShell commands and LDAP queries, administrators can gain comprehensive visibility into group memberships, enhance security, and help diagnose permission-related issues in Active Directory.
