group membership evaluation

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008

Generates a report with information about group memberships for a user. Active Directory environments that contain complex group structures can encounter problems with access token limitation during authentication. This problem can result in the inability of a user to log on or access resources. By analyzing the results of the report, you can identify the source of the problem.

For detailed information about the access token limitation issue and how to use the group membership evaluation option in Ntdsutil or Dsmgmt to resolve related problems, see Addressing Problems Due to Access Token Limitation (https://go.microsoft.com/fwlink/?LinkId=62237).

This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

[clear credentials] [run %s1 %s2] [set account dc %s] [set credentials %s1 %s2 %s3] [set global catalog %s] [set resource dc %s] [verbose %s]

Parameters

Parameter Description

clear credentials

Clears credentials that were used for a prior connection.

run %s1 %s2

Runs token evaluation for the principal %s2 in domain %s1.

set account dc %s

Specifies the domain controller used in the account domain. The account domain is the domain that includes the user account. If you do not specify a domain controller, the tool automatically locates one.

set credentials %s1 %s2 %s3

Sets connection credentials as domain %s1, user %s2, and password %s3.

set global catalog %s

Specifies which global catalog server to use. If you do not specify a global catalog, ntdsutil.exe automatically locates one.

set resource dc %s

Specifies the domain controller used in the resource domain. Use this parameter only if the user and computer on which the logon is being attempted are in different domains. If the user and computer belong to different domains, the resource groups of the computer must also be enumerated.

verbose %s

Turns verbose mode on or off.

quit

Takes you back to the previous menu, or exits the utility.

?

Displays Help at the command prompt.

Help

Displays Help at the command prompt.

Remarks

  • If the variable has spaces in it, enclose it in parentheses, instead of quotation marks: connect to server (xxx yyy).

  • Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles (https://go.microsoft.com/fwlink/?LinkId=157320).

Examples

If you want to evaluate the group memberships for a user with SAM Account Name ToniPoe in a domain named corp.cpandl.com, using Ntdsutil you can do the following:

  1. At the ntdsutil: prompt, type group membership evaluation, and then press ENTER.

  2. Type set account dc <dcname>, where <dcname> is the actual name of a domain controller in your domain that you want to use to obtain the accounts global group memberships, and then press ENTER.

  3. Type set globcal catalog <gcname>, where <gcname> is the actual name of a domain controller in your domain acting as a global catalog server that you want to use to obtain the accounts universal group memberships, and then press ENTER.

  4. Type set resource dc <dcname>, where <dcname> is the actual name of a domain controller in your domain that you want to use to obtain the accounts local group memberships, and then press ENTER.

  5. Type run corp.cpandl.com tonipoe, and then press ENTER.

  6. Ntdsutil outputs a tab-separated-value file (.tsv) with a specific name. That file is located in the folder from which you started Ntdsutil. The file name is reported by Ntdsutil. To access the file, type quit, and then press ENTER twice.

  7. Type dir *.tsv to see a list of the tab-separated-value files in the current folder.

  8. You can open the file in a spreadsheet program or a text file viewer. For example, to open a file named tonipoe-20090514203117.tsv in Notepad, type notepad tonipoe-20090514203117.tsv, and then press ENTER.

Additional references

Command-Line Syntax Key

Ntdsutil

Dsmgmt

authoritative restore

configurable settings

DS behavior

files

ifm

LDAP policies

local roles

metadata cleanup

partition management

roles

security account management

semantic database analysis

set DSRM password

snapshot