How can I use Perl to test for Win32 group membership when group contains nested groups?

Question

I'm trying to use Perl to determine if a Windows users is a member of a Windows group, if the the group contains nested groups.

I've tried using Win32::NetAdmin::GroupIsMember(), but it only works if the user a direct member of the group.

I'm not a AD or LDAP expert, but the examples I googled for exhibit the same behavior.

For example, User "joe" is a member of the group "A". Group "A" is a member of group "B". I want to test to see if joe is member of "B".

score 1 · Answer 1 · answered Oct 09 '10 at 07:40

1

You could either use recursion to scan through the AD or (better) enumerate group membership through the SID's. See the following for an example: http://explodingcoder.com/blog/content/how-query-active-directory-security-group-membership

answered Oct 09 '10 at 07:40

igelkott

I tried that code, but enumerating SIDs only returns the groups that the user is direct member of. – Neil Johnson Oct 11 '10 at 13:52
I.E. Enumerating SIDS will show user "joe" is member of group A, but not group B. – Neil Johnson Oct 11 '10 at 14:01
The article I linked to seems to apply to your situation exactly. From the article: "... the user is a member of 'IT Operations', and that group is a member of 'IT Department'." I didn't describe the method in any detail since the article does a better job than I would have. There's a code example in Perl as well. – igelkott Oct 11 '10 at 19:11

1 Answers1