Ldap – What permissions are required for enumerating users groups in Active Directory

active-directoryldap

I have a .net web application which needs to obtain the groups a user is a member of in Active Directory.

Todo this I am using the memberOf attribute on the users records.

I need to know the permissions required to read this attribute on all users records.

Currently I am getting inconsistent results when trying to read this attribute. For example I have a user group of 30 users in the same OU path. Using my own credentials to query AD – I can read the memberOf attribute for some users but not others. I know all the users have a memberOf attribute set as I have checked when logged on with a domain admin account.

Best Answer

On your domain object, you need to assign the querying user the "Read MemberOf" right to User objects.

Open AD U&C browse to your domain object
Right click and go to properties:
Security tab, click Advanced
Click Add
Enter the user name to add
Click the Properties tab
In 'Apply Onto' change the type to User
Click the "Read MemberOf" checkbox:
OK out of there

That should set it up so that the specified account can read the group memberships of all User accounts in the domain.

Related Solutions

What minimum level of credentials are normally required to join a member server to the domain

By default a domain user can add up to 10 computers to a domain. There is a way that administrators can restrict this default behavior to only allow Administrators to add computers to the domain, by using ADSI Edit.

http://support.microsoft.com/kb/243327

Windows – How to list all Active Directory Users and their group membership

Install the Quest CMDlets and then run this code:

Add-PSSnapin Quest.ActiveRoles.ADManagement
$memberships = @()

Get-QADGroup -SizeLimit 0 | Foreach-Object {
        $NameGroup = $_.Name
        Write-Host "Working with $NameGroup"
        $membership = Get-QADGroupMember $_.DN -Enabled -SizeLimit 0
        if ($membership -ne $null ) {
        $membership | Add-Member -type NoteProperty -name AuditGroupUserIsMemberOf -value $_.Name
        $memberships += $membership
        }
    }

$memberships | Select-Object AuditGroupUserIsMemberOf, NTAccountname | Export-Csv "GroupsWithUsers.csv"

This will give you a 1 record per group-user connection so expect multiple occurrences of users and groups. If you wan't other fields, you can just edit the Select-Object statement. Use $memberships | gm to see all the possibilities for the users. If you want more fields for the groups, use Get-QADGroup | gm, you will then need to add these by adding a new NoteProperty.

If you don't really care about more options, here is a one-liner you can just mash in the terminal:

Get-QADGroup -sizeLimit 0 | select @{name="Group";expression={$_.name}} -expand members | select Group,@{n='User';e={ (Get-QADObject $_).NTAccountName}} | Export-Csv "MyUsersAndGroups.csv"

Best Answer

Related Solutions

What minimum level of credentials are normally required to join a member server to the domain

Windows – How to list all Active Directory Users and their group membership

Related Topic