LDAP query to show all groups that have nested groups

Question

I can see alot of questions relating to needing to get users from nested groups, but what i want to do is query AD for all groups that have a nested group for example:-

if group A has a nested group B show me that group if group C has no nested groups dont show me it if group D has a nested group E show me it

i want to know how many AD groups have nested groups and their names basically, can this be done?

Thanks

Answer 1

Unfortunately, what you are looking to do cannot be done with only LDAP queries. If you are running AD on Server 2003 SP2 or later, you can query for all members of a specific group, enumerating nested groups using a matching rule, but you would have to use an external process, like a PowerShell script, to actually get the results you wanted.

The matching rule I was thinking of would be used like this:

(memberOf:1.2.840.113556.1.4.1941:=cn=Test,ou=East,dc=Domain,dc=com)

If you can use PowerShell, and can install Microsoft's ActiveDirectory module from the RSAT tools, you can do it in one line (although, it could take forever) like this:

Import-Module ActiveDirectory; Get-AdGroup -Filter {Name -like "*"} | ? { $m = Get-ADGroupMember $_; $r = Get-ADGroupMember $_ -Recursive; $c = Compare-Object $m $r; !$c.Count } | ft name,distinguishedName -AutoSize