OK, it just occurred to me that some of the posts here already provided the answer, but they need to be paired together. Try the following script. I can't test it too effectively, so not sure how well it will work, but I tested it against our local admin group and it returned member names as well as the AD nested group name(s)
#!/bin/bash
groupname="admin"
## Get group member names if present, send to array
groupMembers+=($(dscl . read /Groups/$groupname GroupMembership 2>/dev/null | tr ' ' '\n' | sed '1d'))
## Get the NestedGroup value if present, send to array
nestedGroupMembers+=($(dscl . read /Groups/$groupname NestedGroups 2>/dev/null | tr ' ' '\n' | sed '1d'))
## If nestedGroupMembers array is not empty, read each item,
## check to see if its a local group or domain group and get membership info
## Add anything found into the original groupMembers array
if [[ "${nestedGroupMembers[@]}" != "" ]]; then
while read GUID; do
if [[ "$GUID" == "ABCDEF"* ]]; then
nestedGroupName=$(dscl . search /Groups GeneratedUID "$GUID" | tr '[\t]' '\n' | head -1)
groupMembers+=("$nestedGroupName")
else
nestedGroupName=$(dscl "/Active Directory/DOMAIN/All Domains" search /Groups GeneratedUID "$GUID" | tr '[\t]' '\n' | head -1)
groupMembers+=("$nestedGroupName")
fi
done < <(printf '%s\n' "${nestedGroupMembers[@]}")
fi
echo "<result>$(printf '%s\n' "${groupMembers[@]}")</result>"
Change the group name up top to com.apple.access_ssh or whatever you want to pull info for, and also the "DOMAIN" in the 3rd dscl command searching against AD. Of course, this will only work if the Mac it runs on is joined to AD and is in range of your DCs. You can't use dscl -search against the local domain to read back a domain based nested groups details, so searching AD seems to be the only way.