My goal is to get a list of groups (and not users).
There are two kinds of groups we look at right now: Groups XA, XB, XC and Group N. Groups XA, XB, XC have a common prefix X, Group N is a member of Group XA.
I've simplified the queries and full names for better readability.
Accordingly,
Get-ADGroupMember -Identity "CN=XA,DC=myserver,DC=com"
will list Group N, and vice versa the query
Get-ADGroup -Identity "CN=N,DC=myserver,DC=com" -Properties memberOf
will show me Group XA as part of the memberOf property.
When querying for a list of groups, I want to show both Groups XA, XB, XC and N.
My idea was to use the LDAP_MATCHING_RULE_IN_CHAIN to get both, so I've constructed this query:
Get-ADGroup -LDAPFilter '(&(objectclass=group)(|(sAMAccountName=X*)(memberOf:1.2.840.113556.1.4.1941:=cn=XA,DC=myserver,DC=com)))'
This works, but at this large AD, the query is really expensive (takes about 20s).
Just querying for sAMAccountName=X* on the other hand is fast.
Is there a way to construct a filter that only looks at groups matching sAMAccountName=X* and then simple adds their direct child groups as well?
Related
I'm trying to create a custom query in ADUaC to help me index administrators in my system. I've narrowed down security groups that I need to list the members of, but I'm misusing the 'memberOf' attribute in some way which breaks the query.
(objectClass=user)(objectCategory=user)(memberOf=*)
The above query works fine to return all users, but the when I change the wildcard to anything else (ex. (memberOf=*Administrators*)), the query returns no objects.
I have confirmed that there is a relevant Security Group for this query to get users from. I am aware that it does not work for Primary Groups or nested users, and I am simply trying to get it working on a basic level right now. Anyone know how to have the code return users that are a member of the security group?
Unfortunately, you cannot use the wildcard * character to filter distinguishedName attributes. The reason for this is the X.500 Standard.
http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
Perhaps Powershell can be handy. Something like this could do the trick:
#for just one group
get-adgroupmember -Recursive -Identity "domain admins"
#for a batch of groups
$adminsgroups = "Enterprise Admins","Domain admins"
foreach ($admingroup in $adminsgroups)
{
#with the recursive switch you get nested group members
get-adgroupmember -Recursive -Identity $admingroup
}
I am looking for an LDAP query that would return all groups that are members of a certain LDAP/AD group, including all children.
Imagine this tree: A, A.1, A.2, A.1.1
I want to query A and get: 3 results: A.1, A.2, A.1.1
From my initial research it seems that is related to LDAP_MATCHING_RULE_IN_CHAIN from http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx but I wasn't able to figure out the proper syntax for performing the query.
Note: this is a Microsoft Active Directory so the solution doesn't have to be generic.
Not sure from your explanation what you are trying to accomplish, but One of these should work:
Resolves all members (including nested) security groups (requires at least Windows 2003 SP2)#
(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)
Or to retrieve only users:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)
-jim
I would like to write a search filter which would help me retrieve all groups which a user is part of.
For instance:
Say I am retrieving entries for user A (which is part of group A). And group A may be part of group B and group D which in turn may be part of group E.
Now, my search filter should return me MemberOf attribute as all possible groups which user A is part of (in this specific case it is Group A, B, D, E).
Any pointers on how the search filter can look like?
This should do what you are asking about. It will return the FDN of each group the user is a memberOf, however, this queries the group, not the user.
As an example, to find all the groups that "CN=John Smith,DC=MyDomain,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter.
(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))
-jim
There is an attribute called tokenGroups in user object. It's a constructed attributes calculated by Active Directory on the runtime. It includes all the groups the user object belong to.
Make sure your domain has a Global Catalog and make sure the account that you are using Pre-Windows 2000 Compatible Access group. Then, make sure tokenGroups is specified as one of the returned property. Do a base scope search on the user object.
You can use adfind.exe (joeware) to sort out this issue and to utilize standard ldap filters that are described here. For example:
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
Group nesting is specified to be like this:
(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)
and if you use adfind, then it would look like this:
adfind -f "(member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)" samaccountname -list
If you want to have output other than samaccountname, for example displayname, or mail attribute, just add to the list. Also if you want to search multiple users, then you might want to have inputfile containing all users and some script to extract each lines to adfind for example.
How can I use a a search filter to display users of a specific group?
I've tried the following:
(&
(objectCategory=user)
(memberOf=MyCustomGroup)
)
and this:
(&
(objectCategory=user)
(memberOf=cn=SingleSignOn,ou=Groups,dc=tis,dc=eg,dc=ddd,DC=com)
)
but neither display users of a specific group.
memberOf (in AD) is stored as a list of distinguishedNames. Your filter needs to be something like:
(&(objectCategory=user)(memberOf=cn=MyCustomGroup,ou=ouOfGroup,dc=subdomain,dc=domain,dc=com))
If you don't yet have the distinguished name, you can search for it with:
(&(objectCategory=group)(cn=myCustomGroup))
and return the attribute distinguishedName. Case may matter.
For Active Directory users, an alternative way to do this would be -- assuming all your groups are stored in OU=Groups,DC=CorpDir,DC=QA,DC=CorpName -- to use the query (&(objectCategory=group)(CN=GroupCN)). This will work well for all groups with less than 1500 members. If you want to list all members of a large AD group, the same query will work, but you'll have to use ranged retrieval to fetch all the members, 1500 records at a time.
The key to performing ranged retrievals is to specify the range in the attributes using this syntax: attribute;range=low-high. So to fetch all members of an AD Group with 3000 members, first run the above query asking for the member;range=0-1499 attribute to be returned, then for the member;range=1500-2999 attribute.
If the DC is Win2k3 SP2 or above, you can use something like:
(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com))
to get the nested group membership.
Source: https://ldapwiki.com/wiki/Active%20Directory%20Group%20Related%20Searches
And the more complex query if you need to search in a several groups:
(&(objectCategory=user)(|(memberOf=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf=CN=GroupTwo,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf=CN=GroupThree,OU=Security Groups,OU=Groups,DC=example,DC=com)))
The same example with recursion:
(&(objectCategory=user)(|(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupTwo,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupThree,OU=Security Groups,OU=Groups,DC=example,DC=com)))
I have a scheme that looks like this:
Users exist like UserA, UserB, UserC.
Groups exist like OverGroup, SubGroup.
OverGroup automatically adds new users like UserA, UserB, etc. to its membership.
SubGroup I created myself. I have set OverGroup to be a member of SubGroup.
I want to be able to one-line query SubGroup and retrieve not OverGroup, i.e.:
Values:
CN=OverGroup,OU=Groups,DC=example,DC=com
but the full enumeration of the actual Users (User A, B, C) within OverGroup, i.e.:
Values:
CN=UserA,OU=OtherOU,DC=example,DC=com
CN=UserB,OU=OtherOU,DC=example,DC=com
CN=UserC,OU=OtherOU,DC=example,DC=com
Is there a one-liner LDAP filter that could retrieve this? (It will be put into the ExternalAuth configuration 'ldap' section in a Request Tracker instance. Pretty sure I can only do this with one query the ExternalAuth module can understand.)
Everything I try does not work, and from my reading, it does not seem possible to enumerate a list of users within a group that is a member of another group with any one-line query. Thoughts?
Active Directory has a special search filter option that allows it to filter through chained objects, like nested groups. The capability is described here.
Here is an example of how to retrieve all users in a group, including nested groups:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:={0}))
where {0} is the DN of the parent group.
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=MPV_BedPlacement,OU=Security Groups,OU=Groups,OU=CCHCS,DC=CCHCS,DC=LDAP))
You have to add the full DN for the group and no curly braces.