View parents of many nested sub groups in Active Directory
Using Exchange 2007 on a Windows 2003 Server, how can we view the parent of a nested sub group that is nested many levels deep? For example, I created a Group named "Baseball". Then, I created a second group called "Teams". I made "Teams" a member of "Baseball" by choosing "Members" -> "Add" ( under the "Baseball" group ). Then, I created another group named "Indians" and made that a member of "Teams". Finally, I made a fourth group named "Players" and made that a member of "Indians". When I look at "Member Of" for "Players", I only see that I am a member of the group "Indians". Is there somewhere where I can see that the highest level parent for "Players" is "Baseball"? I would think I should be able to see something like this:
Baseball -> Teams -> Indians -> Players
We are trying to set up an organization in Active Directory by putting groups within groups. Maybe I am even doing this the wrong way. But, I saw no options of creating a sub group when I had a group highlighted. I could only create a Group when I highlighted the folder "Users". The folder "Users" is one of about 10 folders found under our domain in the tree on the left side in Active Directory and Users.
That worked.
In a command prompt, I typed in:
dsquery * -filter "(member:1.2.840.113556.1.4.1941:=CN=Players,CN=Users,DC=xxx,DC=yyy,DC=zzz)"
Where xxx, yyy, zzz were the letters of my actual domain that I am not posting here for security.
Anyways, I saw the parent ( "Indians" ), grandparent ( "Teams" ), and great-grandparent ( "Baseball" ) to "Players" listed after running that dsquery command listed above.
I must admit, LDAP has a big learning curve behind it.
Other things I had tried that did not help:
-
Softerra LDAP browser tool is nice to use to return users. But, I still could not see the parents, grandparents, etc. of this lowest level group.
-
I also tried ldifde in the command line:
ldifde -f exportuser.ldf
In the exportuser.ldf file that the results were put into, I could see the "Players" group. But, only "Indians" was listed once again as the "memberOf:".
-
I also tried ldp.exe, but that was not much help either.
So, this was a nice response to help me out. Thanks!
Solution 1:
With 2003, you'll need the ds
tools included with the Admin Pack.
Check the "players" group DN:
dsquery group -name "players"
"CN=Players,CN=Users,DC=example,DC=org"
OK, look up the group using "1.2.840.113556.1.4.1941" LDAP_MATCHING_RULE_IN_CHAIN matching rule. This will return all matches on the member
:
dsquery * -filter "(member:1.2.840.113556.1.4.1941:=CN=Players,CN=Users,DC=example,DC=org)"
"CN=Baseball,CN=Users,DC=example,DC=org"
"CN=Teams,CN=Users,DC=example,DC=org"
"CN=Indians,CN=Users,DC=example,DC=org"