Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
Xenophane

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 18
Reply with quote  #1 
I have written some scripts that does auditing on AD groups for a company..

Today I was testing some samples from the script output, and stumbled upon something  weird (I didn't think it was possible that a group can be a member of itself).

When I dug a little deeper I found that this has happened for several groups.

Do anyone of you know how this can happen? If you try to do it from the GUI and PowerShell it fails with " A group cannot be made a member of itself." which is what I would expect.

PowerShell.JPG  ADUC.JPG 

Have I been drinking out of the night potty again, or what is happening  [wink]





__________________
Claus T Nielsen
Microsoft Cloud and Datacenter MVP 
Founder of the Danish PowerShell UserGroup http://psug.dk
 
<SIG> George Bernard Shaw : The power of accurate observation is commonly called cynicism by those who have not got it. </SIG>
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 177
Reply with quote  #2 
Hi,

this can happen in migrations: you create a group with same name, stick the source group in there so that members from source get permissions in target, THEN migrate the group and match by name.

Or an IDM scenario where AD driver uses LDAP rather than ADSI.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Xenophane

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 18
Reply with quote  #3 
I know for sure that the AD has never never been migrated, and that these groups are relatively new.

They do not have an IDM solution (at least they are not aware of it, if they do [wink])

So just to make sure I understand you correctly, LDAP tools, would be able to break the constraint about not being able to add a group to itself  and make this happen ?

__________________
Claus T Nielsen
Microsoft Cloud and Datacenter MVP 
Founder of the Danish PowerShell UserGroup http://psug.dk
 
<SIG> George Bernard Shaw : The power of accurate observation is commonly called cynicism by those who have not got it. </SIG>
0
Xenophane

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 18
Reply with quote  #4 
Another thing I noticed is that when you open the group in ADUC and open the "Members" tab, you cannot click on the group in that view nothing happens. I can click on all the other members, and get properties of that object. 
__________________
Claus T Nielsen
Microsoft Cloud and Datacenter MVP 
Founder of the Danish PowerShell UserGroup http://psug.dk
 
<SIG> George Bernard Shaw : The power of accurate observation is commonly called cynicism by those who have not got it. </SIG>
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 177
Reply with quote  #5 
Yes, you'll be able to break almost any constraint by LDAP. Multiple instances of SAMAccountName, for example, which may explain the behaviour in your last post. Pull the group memberships (and the backlinks) via LDAP and see if they match and whether there is a second instance of the group name with a different SID.
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 178
Reply with quote  #6 
Looks like scripting error where a bad loop ends with adding a group to itself. Technically, a group member is represented by the "members" attribute, which contains a distinguished name (DN) referring an existing object. AD has no problems with a reference to itself here, meaning group member of itself.

I know that ADUC blocks this, but that is probably a function of the GUI. It certainly is not a limitation of LDAP or AD itself.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: