It happens all the time, administrators need to answer the question, “What groups does a user belong to?” Normally, you open up the Active Directory Users and Computers (ADUC) console, find the user in question and look on the Member Of tab, right? What happens, though, if your organization has nested AD security groups? At this point, what, you might be wondering, does this have to do with Configuration Manager (ConfigMgr)? Well, the answer to that question is what this story is all about.
I am using Gartek\Morgan for this example. This is the user account that I use for testing and it normally is a low-rights user account. However, to help explain the problem, I temporarily added Morgan to the Domain Admins security group. When I check Active Directory (AD), I see that Morgan only belongs to two groups (see the above screenshot), “Domain Admins,” and, “Domain Users,” or does he? I am going to have to take a look at this more closely.
ConfigMgr and AD Security Groups
Every ConfigMgr admin knows that there are several discovery methods within the console. For the purposes of this blog post, I am talking about Active Directory Group Discovery, Active Directory System Discovery and Active Directory User Discovery. These three discovery methods (just as their names suggest) find computers, users and group memberships within AD. What this means is that once you turn on these discovery methods, you can find out who belongs to any AD security group using ConfigMgr reporting. Yes, that is right!
You might still, however, be asking, “What does this have to do with nested groups and ConfigMgr?” I will get to that in a minute.
I knew that when I temporarily added Morgan to the Domain Admins security group, he should appear to be a member of numerous groups. Now, can you understand why I needed to dig deeper to find out why ADUC only showed Morgan as a member of two AD security groups? Did something go wrong?
Nested AD Security Groups and ConfigMgr
I can bore you with the step-by-step back story, but now is not the time. Instead, this is what the Enhansoft Team and I found out. If you look at the Domain Admins Properties, you see that this AD security group belongs to 15 additional AD security groups. I’m not going to list them all here!
Why do you care?
The ADUC console only showed Morgan as a member of two AD security groups because it does not factor in nested groups when reporting user memberships. ConfigMgr, on the other hand, sees that the Domain Admins security group is a member of 15 other groups, so it correctly reports that each user belonging to the Domain Admins security group is also a member of those same 15 groups.
I know I’m over-simplifying the process. More likely, ConfigMgr is reviewing the security tokens, but that process would take too long to explain in this blog post. Someone would also need to ask a member of the product team to review the code to fully explain the process. In the end, as someone who writes reports, I only care about the end result and not how we necessarily got there. At least not this time!
List of Security Groups for an AD User
During the entire month of April 2020, Enhansoft is giving away a report called List of Security Groups for an AD User. We are doing this in order to make it easier for administrators to look-up what AD security groups a user belongs to.
In case you were wondering, we don’t just create a report and send it out into the world. First, we make sure that getting specific information from ConfigMgr and into a report is a real problem (in this case it was) and then after the report is created, we test, test, and test. The results must always be accurate. There’s no room for error.
What does this mean for you? In simple terms, when you leverage the List of Security Groups for an AD User report or one of Enhansoft’s other Local Administrator reports, nested groups are included, so you get the full picture! This is a big advantage to you, as you no longer need to review the membership of each AD security group. Every group, for each user, is listed right there for you. Similarly, when you look at the membership of an AD security group, you not only see the nested security groups, but you see the members of each nested group too! Tell me, would your security team be happy with that?
If you have any questions about nested AD security groups and ConfigMgr, please feel free to contact me @GarthMJ.