There are various ways to either list all users & groups belonging to a group (or via gui), or conversely list all groups a group or user belongs to...
However, I am in a position where I wish to know whether a group (My Group) directly or indirectly contains a particular user (jsmith), e.g.
- Yes,
jsmithis a member ofMy Groupor one of its members (recursively); or - No,
jsmithis not a member ofMy Groupor any of its members (recursively).
I don't need to enumerate all possible users of the group (unless that's the most efficient way to do it).
It would be a bonus if it indicated the heirarchy through which the membership arises, e.g.
My GroupcontainsSome Other Group, which containsSome Team Group, which containsjsmith; orMy GroupcontainsPoorly Maintained Group, which containsDomain Users, which containsjsmith.
What would be the best way to answer either of these questions?
There is the calculated attribute in Active Directory "tokenGroups" that returns SIDs of all groups the user belong to.