Ldap – Extract list of users in a set of nested AD groups

active-directoryldap

I need to get a list of all of the users who are ultimately members of an active directory group. There's a single parent group which has a few other groups as its members, and each of those groups have a few users and several other groups as members in turn.

I need to extract:

First Name
Last Name
AD Username

From every user who is a member (directly or indirectly) of the top level group. It feels like this should be possible with dsquery, but I've only limited experience and can't figure out the syntax. It also should be possible using a DirectorySearcher in the System.DirectoryServices .Net namespace, but my LDAP isn't quite good enough!

Any suggestions on how to proceed with either approach would be much-appreciated.

Many thanks,
Jon

Best Answer

Ok, well I've used this Powershell script to do this a number of times, it produces a listing of all users and groups under the group you specify. Obviously it can be tailored to give you the output you want.

You can use the export-csv command to then get your output into a CSV file.

Related Solutions

Ldap – SquidGuard and Active Directory groups

Solved.

Assuming the following:

- Domain name: "domain.com"
- Group name: "Internet Users"
- User name: "UserName"
- Path to group: "domain.com\OU1\OU2\Internet Users"

The query for checking if the user is member of that group would be:

(&(memberOf=CN=Group Name,OU=OU2,OU=OU1,DC=domain,DC=com)(SAMAccountName=UserName))

So you would have to add the following to squidGuard.conf to identify the members of that group ("%s" is squidGuard.conf's placeholder for "the client's user name"):

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet Users,OU=OU2,OU=OU1,DC=domain,DC=com))
}

Caveat: it will not work if written as above, giving you a laconic "syntax error" message; this is because (part of) the statement is treated like a URL, so you have to escape special characters such as commas and whitespaces; the correct form would thus be this one:

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Also, in order to avoid problems with Active Directory referrals (sometimes a DC will just redirect you to another one, even if you are on the same domain it manages), it might be useful to query a global catalog:

src Internet_Users {
    ldapusersearch  ldap://gc.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Ldap – Authenticating Nested Groups in LDAP

What application are you trying to configure.

There large majority of application that have some level of LDAP support as an LDAP client, simply have no support for nested groups.

Short of modifying the software, you may be out of luck.

If your LDAP server happens to be Microsoft Active Directory, then there is a non-standard search filter, that may help you.

See: - http://support.microsoft.com/kb/914828 - http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to provide a method to look up the ancestry of an object. Many applications using AD and AD LDS usually work with hierarchical data, which is ordered by parent-child relationships. Previously, applications performed transitive group expansion to figure out group membership, which used too much network bandwidth; applications needed to make multiple roundtrips to figure out if an object fell "in the chain" if a link is traversed through to the end.

Best Answer

Related Solutions

Ldap – SquidGuard and Active Directory groups

Ldap – Authenticating Nested Groups in LDAP

Related Topic