In the below example, my domain is vfroot.prv and my DC name is SDF. In the below example I evaluated a group, but you can evaluate users as well.
To do this you will use the Ntdsutil command:
ntdsutil
ntdsutil: group membership evaluation
group membership evaluation: set account dc SDF
group membership evaluation: set global catalog SDF
group membership evaluation: set resource dc SDF
group membership evaluation: run vfroot.prv grouptest
This will give you output to a file called tab-separated-value (.tsv) file, that contains the following information:
-SID in Token: Security Identifier that is part of the token.
-SID Type: The type of SID that is being added. The SID can be either the Primary SID or a SID from the sIDHistory attribute.
-SID History Count: The number of SIDs in the sIDHistory attribute for the principal represented by this SID. For a row represented by a sIDHistory SID, the value is zero.
-Distinguished Name: The Distinguished Name (DN) of the entry.
-SamAccountName: The samAccountName attribute for the SID.
-DC Queried: The domain controller (DC) that provided this SID for addition to the list of tokens.
-Group Owner: The samAccountName of the owner of the group. If the SID pertains to an object other than a group, this field contains "N/A."
-Group Owner SID: The SID of the group's owner. If the SID pertains to an object other than a group, this field contains "N/A."
-WhenCreated (UTC): The date and time when the group was created. If the SID pertains to an object other than a group, this field contains "N/A."
-WhenChanged (UTC): The last date and time when any attribute of the group was changed.
-Member WhenChanged (UTC): The last date and time when the membership attribute of the group was changed.
-GroupType WhenChanged (UTC): The last date and time when the GroupType attribute of the group was changed.
-One Level MemberOf Count: The number of groups which this entry is directly a member of.
-Total MemberOf Count: The number of groups which this entry is both directly a member of and recursively a member of.
-Group Type: The type of group that this entry represents. Some examples are: User, Domain Local Security Group, and Well Known Computers.
-Depth From User: The number of transitive links between the group in question and the user. If the user Joe was a member of Group1 which is a member of Group2 which is a member of Group3, then the depth from user Joe to Group3 would be 3. If there is more than one path from the user to Group3 then the shortest path is chosen.
-Closest Parent OU: The closest organizational unit that the entry is a member of.
For more information, please see: http://www.microsoft.com/en-us/download/details.aspx?id=13749
No comments:
Post a Comment