This time we will see how we can uncover another type of toxic and potentially unnecessary Active Directory objects – circular nested groups.
First let’s define what circular nested groups are. These are groups that include themselves by a virtue of nested group memberships. Consider this example:
Domain Admins group includes another group called Dallas CSI. The latter in turn happens to include Domain Admins as its member. Now the full membership path will effectively form an infinite “loop”:
Domain Admins->Dallas CSI->Domain Admins
Why group with circular nested membership are bad? While having such groups will not affect the state of Active Directory itself it is considered a bad Active Directory management practice.
First of all, circular nested groups is a sign of improperly implemented access control policy. The more circular groups you have the more difficult it becomes to follow the “path of access”. It also opens a room for errors and unpredictable results when delegating access through such groups. And lastly, never forget about all the scripts and poorly written third party applications that might not handle such groups appropriately. They might end up being stuck in the infinite loop trying to enumerate all members of such groups. You will be surprised how many scripts and apps of this kind are out there…
Fortunately, finding such groups using PowerShell is an easy task. Below you will find the full recipe.
PS C:Usersapm> Get-AdGroup -filter {(member -like “*”)} -Properties member | %{ Get-AdGroup -filter {(distinguishedName -like $_.DistinguishedName) -and (memberof -recursivematch $_.DistinguishedName)}}
As you see, the code snippet uses the same cmdlets and syntax we discussed in the previous post. The same explanation and parameter choices apply here.
However, there is one caveat you should be mindful of. Unlike with the case of empty groups, this script pulls every group from Active Directory and queries all its members including nested groups. If you don’t limit the out most query with the -SearchScope parameter it can easily put a strain on your domain controllers for a considerable amount of time.
So, use this one liner wisely!
<< Active Directory User and Group Reporting: A practical guide for administrators