Ldapsearch and groups and Active Directory - active-directory

I am trying to get a list of groups/users using ldapsearch.
Most the searches I have seen show that the way to only enabled/active users are to use a query similar to the following:
(&(objectCategory=person)
(objectClass=user)
(sAMAccountType=805306368)
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
(sAMAccountName=<username>))
The issue I am having is I need a list of ALL AD Groups and their Users that are active with the disabled users removed.
Typically I have seen groups pulled with something like this
(&(objectClass=group)(member=*))
This query pulls the groups and users but pulls ALL users disabled and enabled.
What I need is a way to accomplish both.
So far I have tried combining the commands but it has proven to be unsuccessful.
(&(objectCategory=group)
(objectclass=group)
(!(isCriticalSystemObject=TRUE))
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Is there a way to accomplish the task of pulling only enabled users while still getting all the groups?

The problem is that by querying groups objectclass=group, you can only filter which groups, not which member (active or not) of those groups, so you would have to intersect the members (all) of each group with the set of active users, which implies another query to grab those users in the first place, and a bit more client code to process the results.
The good news is that AD implements the memberOf attribute, so you can do the other way around, searching for all active users and list the groups they belong to by reading this attribute.

Related

LDAP attribute to filter built-in or default OUs in AD

To reduce clutter in a selector GUI element I need a way to
tell OUs that ship with AD and Exchange by default (builtins, schema
defined, security or whatever) from such that the admin
created to organize their domain. E. g. the filter should
ignore OUs like:
OU=Domain Controllers,DC=example,DC=com
OU=Microsoft Exchange Security Groups,DC=example,DC=com
and only let those pass that were manually added.
So far I’ve been investigating the bits in the systemFlags:
attribute.
The values are inconclusive though as some bits e. g. non-removability
are set for basic AD objects but don’t appear so for objects added
by Exchange.
I’m not sure if the attribute itself can be present in user
defined OUs. If not, that would be a sufficient signal to
base the filter on. [MS-ADTS] lists it as optional though.
You can't filter by OU in an LDAP query, since a query cannot do partial matches on the distinguishedName (e.g. this won't work: (!disginguishedName=*OU=Domain Controllers*))
If you want to exclude objects in certain OUs, you have two options:
Do it after the query, in your own code, where you can do partial comparisons on the distinguishedName, or
Make separate searches in the OUs that you do want. You can set the search root in each query to the OU you want, then repeat that for every OU you want to include.
Depending what you are trying to search for and the number of results, the first method might be faster than the second.

Dynamic distribution groups: Which DDGs is user part of?

I know how to get all the members of a dynamic distribution group: I can take the distribution group, get the AD filters from msExchDynamicDLFilter and msExchQueryFilter properties and query the AD for the users who match that filter.
Now, how do I go the other way? E.g. show which dynamic distribution groups a user is part of? Is there any better way than taking all the hundreds of dynamic distribution groups from AD, resolving each of them, one after the other, and looking whether the user is in the resolved list?
No there is not. DDGs where created for Exchange. So upon message submission, the DDGs are resolved.
That being said, you can only retrieve all DDGs, do the queries and check to see which one yield the desired user.

Finding fellow members of an Active Directory group?

I need to list all members of all groups, where a given user (or a small group of users) are members.
The straightforward way to do it is to get the list of groups from the memberOf-attribute of the seed-user(s) and loop through them collecting their other members.
But, perhaps, there is some better way -- with advanced LDAP -- to do it in fewer (or even just one) query?
If it matters, I'm talking to Active Directory from a PHP-script using the ldap-extension. Thanks!
For a given user, you can obtain all groups where the user is a member, including nested groups using the filter:
(member:1.2.840.113556.1.4.1941:=(CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET))
-jim

retrieving group members/membership from active directory when members attrib doesn't work

I am trying to get all group members from "Domain Users". When using AD Users MMC tab, I get a lot of results. When using ADSI - not. The following DOESN'T work as expected:
looking at members attribute of the group entry via LDAP/ADSI. It returns only 56 members when there are considerably more.
searching by memberOf (returns just a few entries)
searching by primaryGroup (it is not a primary group)
searching by tokenGrops (it is a constructed attribute)
any ideas appreciated.
(I just read more carefully and saw that you mentioend it's not primary group...but I'm suspicious this is the answer anyway :))
There is another mechanism by which a user can be a member of a group, and it's controlled by the primaryGroupID attribute of the user in the group.
If the primaryGroupID of a user is set to some RID of a group, the user is functionally in the group, even though they don't show up in the member attribute of the group. Tools like ADUC are wise enough to look for this. When you step a bit lower in the stack and hit the directory over LDAP, it is up to you to be smart enough to go hunting for it.
You can either do searches for this or use constructed attributes in the directory that take this in to account.

LDAP filter for searching students

I am fairly new to LDAP and AD. I want to create an LDAP filter to show all the students in the AD. But the problem is that the students are in different BASE DN:
OU=STUDENTS,OU=USERS,OU=SOE,OU=FOAE,OU=UNIVERSITY,DC=sepang
OU=STUDENTS,OU=USERS,OU=SOMLC,OU=FOAE,OU=UNIVERSITY,DC=sepang
OU=STUDENTS,OU=USERS,OU=SOCS,OU=FOS,OU=UNIVERSITY,DC=sepang
i.e for each student it is like
CN =khx72b,OU=STUDENTS,OU=USERS,OU=SOCS,OU=FOS,OU=UNIVERSITY,DC=sepang
As you can see students from different faculties are in different places.
Given an username how can I search and find if the given user is in the directory?
The objectClass for all the students is 'user'.
As it seems you are searching for objects of type 'user' which are in OUs called 'STUDENTS' but otherwise have no common parent.
This cannot be done in one step (i.e. with a single LDAP query).
You must either retrieve all OUs named 'STUDENTS' and use them as Base DNs one by one, like you've already indicated.
Or you find a property that all students share (a direct group membership, for example, or a special value somewhere) and use that as the filter. This is a more dangerous approach since nothing guarantees that every student actually has the feature you rely on - some might have been not entered into AD correctly.
Tomalak, is right, Microsoft does provide many attributes that you could use for this purpose such as "employeeType", "comment", "department", "company", "department", "divison", etc, but the problem with these is that they are not prepopulated with any information that can help you now. You can start using one of these for future purposes, but then you must maintain that practice in order for it to be consistent. I thing the easiest solution for you is to probably put each of the users into a group that is named similar to the OU name, which should be an really easy task if they're currently in the same OU. then once this is done you can easily create a LDAP query which will then look at the membership of that group like this:
((objectCategory=person)(objectClass=user)(memberOf=CN=STUDENTS GROUP,OU=USERS,OU=SOCS,OU=FOS,OU=UNIVERSITY,DC=sepang))
Please note when using the "memberOf" in an LDAP filter the search value must be a complete string to a group, and so you CAN'T use a wildcard such as: memberOf=CN=STUDENTS GROUP*).
You will still have to maintain a practice that you or someone or something (such as an automated schedule script task) which maintains the group membership to ensure that your LDAP query will be accurate.
I did see this post which says what your trying to do is possible without having to do anything extra by "Matching Components of Distinguished Names", but I have never seen this before and I could not get it to work. Also take a look at this tutorial on ADO searches to learn more about these things work
Search for objects in an OU by setting "searchRoot" to teh LDAP path to the OU. all searches will then be confined to that OU.

Resources