Re: Ability to list groups member of a trusted domain is in

That is, or certainly can be, a tough nut to crack.
What I try to use is:
1. never grant to users, not anything, not ever
2. allow users into a subset of the groups only
(I think of these as principal groups)
3. use grants for rights, resources, etc. with
groups defined for those purposes
(I think of these as resource groups)
4. use principal groups no where except to
populate resource groups
5. have and uphold a group naming convention so that
it is clear what group is a principal group, and what
the uses of the resource groups are (and use them
only that way)
Then, there is a limited subset of groups that need to
be periodically examined for accounts, and as a side
effect looking at the resource groups tells one immediately
what categories of users have that access.
For the examination I use script.
If one does not start out right one can quickly get a mess
on one's hands.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Mike Matheny" <mikemathenyathoustondotrrdotcom> wrote in message
news:eeU2hDNsGHA.3556@xxxxxxxxxxxxxxxxxxxxxxx
We have around 10 trusted domains that we sometimes add users from into
our domain local groups. When a user from a trusted domain leaves, we need
a way to find out what groups in OUR domain he is a member of and remove
him I have not been able to find any way to do this (short of going
through all 1000 of our groups manually!!), so that is why I am asking the
experts!

--

Mike Matheny





.