Re: DumpSec and Win2003 AD. Won't dump Groups

We've seen this a few times, but have been unable to determine what is different with these environments to cause this. It works fine in our testing on 2003. The main problem is we are no longer maintaining DumpSec, so the only solution we can offer is to look at our Hyena product.

Re: DumpSec and Win2003 AD. Won't dump Groups

For anyone else searching this problem: In our case, if you exclude computer accounts, it will not loop.

Re: DumpSec and Win2003 AD. Won't dump Groups

This fix does not seem to work for me....
Does anyone have a solution to this problem please?

Thanks!

Re: DumpSec and Win2003 AD. Won't dump Groups

I can't duplicate this problem, but are you using the option to 'fully expand groups' ? That might be a problem, as the particular technique used dates back over a decade and MIcrosoft may have made changes over the years to make that option not work right under some conditions. DumpSec won't see distribution lists (universal groups) either.

Let me know what options you are using.

Re: DumpSec and Win2003 AD. Won't dump Groups

Thanks for your quick response.
This problem only occurs in 1 of our W2003 Active Directories. Others are fine.

I tried al possible settings available.
'Dump groups as column' and 'Dump groups as Table'
Both with all available fields selected and the other time with only the 'groups' field selected. No difference...
I also tried every possible combination for 'Fully expand groups' and/or 'Show normal user account' and/or 'Show computer accounts' switched on/off. No difference either. Always seems to loop endlessly...
It must be some kind of setting in Active Directory which is causing this behaviour.

Also trying every single Domain controller in the domain doesn't make a difference.

Maybe you could experiment with switching the 'domain functional level'. Unfortunately I can't do any testing here and can't see the Active Directory configuration...

[This message has been edited by ErwinB2 (edited 09-19-2007).]

Re: DumpSec and Win2003 AD. Won't dump Groups

One idea is to try our free Exporter tool (available in the free tools section). It can dump the groups and members and I doubt it will have the same problem.

Re: DumpSec and Win2003 AD. Won't dump Groups

I think I know what is causing the problem. I had a meeting with one of the admins. It seems that the forementioned Active Directory domain has a few groupnames containing the " : " character. This is allowed in win2003 but the pre-win2000 name of the group may not contain this character.

If anyone could test this;
In an Win2003 active directory domain. Create one or 2 groups with a " : " in the groupname, for example "group 1: test1"
Then run dumpsec and try to dump the groups.

Hope this helps.

Re: DumpSec and Win2003 AD. Won't dump Groups

I created a group with ':' in the name and didn't have any problem. I assume you mean that the : should be in the directory name, and not the Pre-Windows 2000 name.