Windows – What’s the AD query syntax to enumerate all users for a particular group

active-directoryldapwindows

Here's what does not work so far;

(&(objectCategory=Person)(objectClass=Group)(CN=group_in_question))

(&(objectClass=Group)(objectCategory=Group)(member=CN=group_in_question))

(&(samAccountName=%USERNAME%)(memberof=CN=group_in_question))

(&(objectCategory=person)(objectClass=user)(memberOf=cn=group_in_question,ou=Groups,dc=mydomain,dc=com))

Best Answer

The third syntax works fine for me in LDP.EXE against one of my domains. I don't normally put the (objectCategory=person) in there, but it works fine with it, too.

What kind of error are you getting back when you try to use that?

Related Solutions

Ldap – How to build an LDAP query for AD that returns all users in a particular security group whose accounts are not disabled

Sometimes a set of yes/no values is stored in a single value by setting various bits. You can use a bitmask to check if they are set.

For example, 546 in decimal is the binary value 10 0010 0010 - in decimal, the sum of 512, 32, and 2. (All those numbers are powers of 2, which means they only have one '1' in their binary representation): That means those three yes/no values are set.

According to the userAccountControl docs that means the following values are set:

NORMAL_ACCOUNT (512)
PASSWD_NOTREQD (32)
ACCOUNTDISABLE (2)

However, for example, if you had a user who did not have PASSWD_NOTREQD set (so their userAccountControl value was 512), or one who also had DONT_EXPIRE_PASSWORD (65536) set (meaning their value was 66082), you would not find those users in your query.

What you need to do is use a bitwise AND in order to query the value of only that bit:

10 0010 0010
00 0000 0010
------------
00 0000 0010

If the value for that bit is 1, then that bit is set. It doesn't matter what the other bits are set to, so you are effectively asking if userAccountControl & 2 == 2.

The LDAP syntax for checking a bit using AND is 1.2.840.113556.1.4.803, therefore you can see if the ACCOUNTDISABLE bit is set with (userAccountControl:1.2.840.113556.1.4.803:=2). Adding (!(foo)) around it gives you all the users who are not disabled.

Ldap – What permissions are required for enumerating users groups in Active Directory

On your domain object, you need to assign the querying user the "Read MemberOf" right to User objects.

Open AD U&C browse to your domain object
Right click and go to properties:
Security tab, click Advanced
Click Add
Enter the user name to add
Click the Properties tab
In 'Apply Onto' change the type to User
Click the "Read MemberOf" checkbox:
OK out of there

That should set it up so that the specified account can read the group memberships of all User accounts in the domain.

Best Answer

Related Solutions

Ldap – How to build an LDAP query for AD that returns all users in a particular security group whose accounts are not disabled

Ldap – What permissions are required for enumerating users groups in Active Directory

Related Topic