I have found a solution that will work with up to 4 levels of nesting (and can be expanded to work with up to X levels). I have setup up two lookup table generating scheduled searches.
The first search runs at *:20:00 and *:50:00.
index=activedirectory source="admon" objectClass="top|group" earliest="10/28/2012:0:0:0" | dedup objectSid | eval members=split(member, "|") | mvexpand members | eval member=replace(members, "CN=", "") | eval member=replace(member, ",OU=.*", "") | table sAMAccountName, member | outputlookup ADGroupMembership1.csv
The second search runs at *:25:00 and *:55:00 (5 minutes after search #1).
| inputlookup ADGroupMembership1.csv | eval topGroup=sAMAccountName | table topGroup, sAMAccountName, member | eval joinOn=lower(member) | join max=100 type=outer joinOn [| inputlookup ADGroupMembership1.csv | eval joinOn=lower(sAMAccountName)] | dedup topGroup, member | join max=100 type=outer joinOn [| inputlookup ADGroupMembership1.csv | eval joinOn=lower(sAMAccountName)] | dedup topGroup, member | join max=100 type=outer joinOn [| inputlookup ADGroupMembership1.csv | eval joinOn=lower(sAMAccountName)] | dedup topGroup, member | join max=100 type=outer joinOn [| inputlookup ADGroupMembership1.csv | eval joinOn=lower(sAMAccountName)] | dedup topGroup, member | table topGroup, member | outputlookup ADGroupMembershipExpanded.csv
After this second search runs, a lookup table is created. The table has two columns/fields: "topGroup" and "member". If you wanted to see all of the users who are members of the group "Domain Admins" (through up to 4 levels of group nesting), you simply run this search:
| inputlookup ADGroupMembershipExpanded.csv | search topGroup="Domain Admins"
If you have more than 4 levels of nesting in your environment, you can modify search #2 to include additional instances of:
join max=100 type=outer joinOn [| inputlookup ADGroupMembership1.csv | eval joinOn=lower(sAMAccountName)] | dedup topGroup, member
... View more