Wednesday, May 12, 2010

How to Evaluate Nested Group Memberships

If you have ever been tasked with trying to determine who has what access on a network share or a Sharepoint portal or a file residing on some computer in your network, chances are you have come across Active Directory domain security groups in the access control lists of these resources.

In some cases, these Active Directory domain security groups only contain a list of end users making our job easy, but in most cases, it turns out that these groups can end up containing other security groups as members. In other words, we encounter security groups within other security groups, or as they are commonly referred to we run into nested security groups.

If we are lucky, the groups that are nested usuallyonly contain end-users, but many times, these groups in turn can contain other security groups, resulting in what is known as multi-level nesting of security groups. It is already cumbersome to deal with single-level nested groups, and it is very cumbersome to deal with multi-level nested groups.

In fact, not only is it cumbersome, but it can be quite a boring, long and error-prone process. In this blog we will look at some ways in which you can identfy nested security groups and identify their cumulative membership in an efficient manner and without having to put in lots of time.