Win32_GroupUser does not return nested groups from domain security groups

Question

When I use Win32_GroupUser to request members of a local security group, I also get nested domain groups.

E.g. in PowerShell, this query on a member server:

Get-WmiObject Win32_GroupUser -Filter "GroupComponent='Win32_Group.Domain=`"myserver`",Name=`"LocalTestGroup02`"'" | select PartComponent

returns both user- and domain accounts:

PartComponent                                                     
-------------                                                     
\myserver
oot\cimv2:Win32_Group.Domain="FLIP",Name="TestGroup"  
\myserver
oot\cimv2:Win32_UserAccount.Domain="FLIP",Name="test5"
\myserver
oot\cimv2:Win32_UserAccount.Domain="FLIP",Name="test4"

The same query, but this time on a domain controller and for membership of a domain security group:

Get-WmiObject Win32_GroupUser -Filter "GroupComponent='Win32_Group.Domain=`"FLIP`",Name=`"TestGroup2`"'" | select PartComponent

only returns the user accounts, despite that its members are exactly the same as the local group above.

PartComponent
------------
\VW-DC01
oot\cimv2:Win32_UserAccount.Domain="FLIP",Name="test4"                                            
\VW-DC01
oot\cimv2:Win32_UserAccount.Domain="FLIP",Name="test5"

I see this behavior

when executed locally and from another server with the -ComputerName parameter
also with a C# application using System.Management
on Domain local, Global, and Universal security groups

Does anybody know why that is? More important, can I change this behavior so I also get to see nested groups in domain groups?

I'm trying to enumerate membership of both local- and domain groups, including members in nested groups.

PS: I know I can also use the Get-ADGroupMember cmdlet, but that's not an option. I only have a WMI connection to the target servers, not LDAP or WinRM.

Thx,

Win32_GroupUser does not return nested groups from domain security groups

Answers (1)

Related Questions