locked
Computer's group membership RRS feed

  • General discussion

  • I am trying to find a way to list the groups a computer knows it is a member of. Normally a computer only picks up a group membership change after a reboot. You can purge the kerb tickets and it will sometimes pick up the new membership.

    I have a requirement to determine if a group membership has propigated to >300 servers for GPO filtering, but the only way I can find to validate this is by running a gpresult and checking the computer group memberships.

    I started by trying to run a gpresult remotely but that does not always return the computer group membership. Is there a wmi call that can pull this or can a kerb ticket be dissasembled to get the memberships?



    Friday, March 27, 2015 7:50 PM

All replies

  • I do not understand what you are trying to say.  Group membership is not dynamic except for "authenticated Users" and a couple of other local groups.

    A computer is a member of domain groups based on hwo it was managed.

    If you add an account to a new group that group is not valid until a logoff and logon cycle.  For computer accounts this requires a reboot.

    You are posting general WIndows questions in a scripting forum.  You should post your issues in the Directory Services forum.

    GPO filtering has little to do with the computer.  If a computer is added to a group then the servicing DC has to be updated before it is certain that it will apply policy as intended.  The DCs get policy refreshes every 5 minutes.  GPResult will not tell you anything useful about the computer until it is re-authenticated.  I believe this still only happens when the computer is booted.  Security groups are not related in any way to Group Policy although GP uses security groups to selectively apply policy.


    ¯\_(ツ)_/¯

    Friday, March 27, 2015 9:02 PM
  • jrv,

    I understand how Active Directory and the various methods of GPO provisioning work.

    The systems in question (>300 production servers) have been added to a provisioning group. This group is used to filter application of a GPO. I need to validate the systems have picked up the new group membership before moving forward with a multi-step implementation.

    When a gpresult is run the output displays the groups the system is a member of in order to determine GPO application. I am trying to get this data from remote systems programatically, hence why I posted in this forum since I am specifically asking if anyone knows of a WMI (or other) call that would return the computer group memberships.

    As I re-organize a GPO structure in dire need of cleanup I am going to have to do this validation multiple times over a large number of servers. Being able to automate this process would help quite a bit.

    "For computer accounts this requires a reboot." - See this article: 

    http://setspn.blogspot.com/2010/10/updating-servers-security-group.html


    Monday, March 30, 2015 2:22 PM
  • Try this:

    DSQUERY USER -samid loginname | DSGET USER -memberof -expand

    REF: http://www.robvanderwoude.com/ntadmincommands.php


    You wouldn't demand your Doctor a therapy just because you told him "I don't feel very well"
    You wouldn't expect your accountant to know how much your taxes are just because you told him "I have earned some money"
    Do not expect any IT Pro to suggest you a solution just because you said "It doesn't work"

    Monday, March 30, 2015 2:27 PM
  • Jay,

    You can use WMI to retrieve the results of gpresult or dump it to XML and query the XML.

    Group membership may not be updated without a reboot although GPResult should honor the groups.

    gpresult /X <filename.xml>
    $gp=[xml](Get-Content <filename.xml>

    $gp.SelectNodes('//<xpath too node>')


    ¯\_(ツ)_/¯

    Monday, March 30, 2015 2:57 PM