Active Directory Group membership report – listing across domains and forests

A user may be assigned to multiple groups in an Active Directory organization. A group member may have membership in other groups in the same domain (or) in a different domain within the same forest (or) in a different domain in a different forest.

An in-depth user/group membership report must include all the groups that a user is member of across the entire AD organization (and not just the groups within one domain).

In a multiple forest environment, When we add a member from one domain to a group in another domain (from a trusted domain outside of that forest) , Active Directory automatically creates a special object called a foreign security principal (FSP) in the CN=ForeignSecurityPrincipals container in the domain NC.

Active Directory creates a foreign security principal object in a forest when objects from its trusted external forest are assigned group membership and security for trusting the forest’s objects. The users and groups of the external forest are represented by foreign security principals in the trusting forest and is necessary for them to access domain resources that exist in that forest. When a trust is established between domains across forests, these foreign security principals can become members of ‘domain local groups’ in the source domain.

In order to generate a report on all user memberships, you need a tool that runs through all user memberships across domains and if there are multiple forests with FSPs, then the membership across forests will have to be generated. For example, a complete membership listing of a User A, who is present in multiple domains across multiple forests, will show all groups that User A is a member of (including Domain Local Groups).

Vyapin’s Admin Report Kit for Active Directory (ARKAD) generates such complex user/group membership reports.

How to view all security principals in all domains within a single forest in ARKAD?

(A security principal can be a user, group, service, or Computer). The Forest Reports feature in ARKAD allows the user to generate reports across domains in a forest. (Select ‘Forest Reports…’ under New Report button in the tool bar. The Forest Reports window with the list of reports will be displayed; Select a report from the list of reports. Click Next to proceed to the next steps).