How can I get a list of users within an LDAP group, even if that group happens to be the primary group for some users?
For example, suppose "Domain Users" is "Domain Leute" in German. I want all members of "CN=Domain Leute,DC=mycompany,DC=com". How would I know that is the well-known "Domain Users" group?
Or what if some users' primary group was changed to "CN=rebels,DC=mycompany,DC=com", and I wanted to get members of THAT group? Users don't have a memberOf property for their primary group, and the primary group won't have a member property listing them.
This is what I see when viewed via LDAP (ie, no MS extensions):
To get the the primaryGroupToken from any given group extract it from the objectSid so for example Domain Users objectSid = S-1-5-21-704657944-2065781323-617630493-513 then the primaryGroupToken is the last digits after the "-" so in the case of the "Domain Users" its 513
You need to find out primaryGroupToken from the Group object first. If you are using ADSIEdit, you need to make sure you have "Constructed" filter on to see this calculated attribute. For Domain Users, the primaryGroupToken should be 513.
Then, you neeed to find all the users with primaryGroupID set to this value. Here is the ldap query you should write to find out all users with Domain Users set as the primary group.
(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))
EDIT
Here is the steps to show primaryGroupToken in LDAP Browser. I am using LDAP browser 2.6 build 650. Right click your profile and click properties
Go to LDAP Settings tab and click Advanced button.
Add an extra operational attribute primaryGroupToken
Click Apply button and close the properties page. Now, you should see the primaryGroupToken in your group object.
This is a PS script that I made to do exactly that:
[void][System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices");
$groupName = "Grupo Domain";
$directoryEntry = New-Object System.DirectoryServices.DirectoryEntry;
$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher($directoryEntry, "(&(objectClass=group)(CN=$groupName))");
[void]$directorySearcher.PropertiesToLoad.Add("objectSid");
[void]$directorySearcher.PropertiesToLoad.Add("member");
$result = $directorySearcher.FindOne();
if ($result -eq $null) { return; }
# Try get the group members through the "member" property.
if ($result.Properties["member"].Count -gt 0) {
foreach ($member in $result.Properties["member"]) {
$memberSearcher = New-Object System.DirectoryServices.DirectorySearcher($directoryEntry, "(&(objectClass=*)(distinguishedName=$member))");
[void]$memberSearcher.PropertiesToLoad.Add("msDS-PrincipalName");
$memberResult = $memberSearcher.FindOne();
if ($memberResult -eq $null) { continue; }
Write-Output $memberResult.Properties["msDS-PrincipalName"];
}
return;
}
if ($result.Properties["objectSid"].Count -gt 0) {
# The group might be an AD primary group. Try get the members by the PrimaryGroupID.
$groupSid = New-Object System.Security.Principal.SecurityIdentifier($result.Properties["objectSid"][0], 0);
# Hacky way to get only the last RID.
$primaryGroupSid = $groupSid.Value.Replace($groupSid.AccountDomainSid.ToString(), [String]::Empty).TrimStart('-');
$memberSearcher = New-Object System.DirectoryServices.DirectorySearcher($directoryEntry, "(&(objectClass=*)(primaryGroupId=$primaryGroupSid))");
[void]$memberSearcher.PropertiesToLoad.Add("msDS-PrincipalName");
$memberResult = $memberSearcher.FindAll();
if ($memberResult -eq $null) { continue; }
foreach ($member in $memberResult) {
Write-Output $member.Properties["msDS-PrincipalName"];
}
}
Related
I am getting groups from AZ AD based on users. In one scnaior I need to get all but in other scenario I want to filter and only get groups based on the filter. I used the below code but I am not getting data.
The groups that I need. Technician, Research, ADMIN. I want to just get these groups based on the useridenfiticaiton /email.
Below is the code:
GraphServiceClient graphClient = GetGraphicClient(accessToken);
List<Option> options = new List<Option>();
options.Add(new HeaderOption("ConsistencyLevel", "eventual"));
options.Add(new QueryOption("$filter", $"DisplayName eq 'Technician'"));
// options.Add(new QueryOption("$filter", $"DisplayName eq 'Research'"));
options.Add(new QueryOption("$count", "true"));
var groups = graphClient.Users[uniqueIdentification]
.MemberOf
.Request(options)
.GetAsync().Result;
Note that I need to filter based on all 3 criteria. And be able to store the Group in a List object
Please check if below is the cause as it may be possible.
Try by avoiding result in .GetAsync().Result; which may lead to deadlock condition which may probably lead to no result which looks like your case.
For example: filtered for jobTitle in query options:
List<Option> requestOptions = new List<Option>();
//var requestOptions= new List<Option>();
requestOptions.Add(new QueryOption("$count", "true"));
requestOptions.add(new QueryOption("$filter", " jobTitle eq 'Retail Manager’ "));
requestOptions.add(new QueryOption("$filter", " jobTitle eq 'Marketing Assistant'"));
var request = await graphClient.Users["UPN"].MemberOf
.Request(requestOptions).Header("ConsistencyLevel", "eventual")
// .Filter("(jobTitle eq 'Retail Manager' ) or (jobTitle eq 'Marketing Assistant')") // try this if query options doesn't work
.GetAsync();
In graph explorer tried this :
But not sure later again it gives error as group doesn't have jobTitle as property.
Please check below References:
Graph API .net SDK - Filter Me.MemberOf based on displayName of groups - Stack Overflow
c# - Filtering the transitive group memberships of a user using
Graph SDK - Stack Overflow
The goal of the script is to run and add all users with a specific job title to an AzureAD Group.
I've tested the variable and it grab the right people and will display if I write the variable to the screen.
The error message I get states "ADD-AzureADGroupMember : Cannot convert 'System.Object[]' to the type 'System.String' required by parameter.
#Grab all users with the job title IT Support Technician
$User = (Get-AzureADUser -All $true |
Where-Object -FilterScript {$_.JobTitle -eq "IT Support Technician"}).ObjectId
#Grab the ObjectID of the AzureADGroup
$Branch = (Get-AzureADGroup -SearchString "Test SG").ObjectId
#Add each of the Users to the AzureADGroup
$User | ForEach-Object {
Add-AzureADGroupMember -ObjectId $Branch -RefObjectId $User
}
You're iterating over $user then trying to add all users within your Foreach-Object loop.
To reference the current pipeline item you can use $_ or $PSItem
$User | ForEach-Object {
Add-AzureADGroupMember -ObjectId $Branch -RefObjectId $_
}
Documentation on Automatic Variables
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-7.2#_
I haven't done this in so long and I simply want to get the group CoreControls and add a user or another group. How do I write the FindByIdentity? It always return null. The domain is crp.name.local
using (PrincipalContext pc = new PrincipalContext(
ContextType.Domain,
"crp",
username,
password))
{
// group is null and I've tried many examples...
var group = GroupPrincipal.FindByIdentity(pc, "ou=CoreControls");
group.Members.Add(pc, IdentityType.UserPrincipalName, userId);
group.Save();
}
I think the problem is CoreControls is not actually a group, but an OU. So you cannot use GroupPrincipal here. Try this PrincipalContext overload instead:
using (PrincipalContext pc = new PrincipalContext(
ContextType.Domain,
"crp",
"OU=CoreControls,OU=Security,OU=Global Groups,DC=crp,DC=local"
username,
password))
You will have to fiddle with the container parameter to get it just right.
I want find users from active directory where Objectsid = "x-xxx-xxxxxx-xxxxxxx-11060"
My search filter is :
(&(objectClass=user)(objectCategory=person)(Objectsid=*11060))
but no users are returned.
What is problem with my filter?
When I completely write Objectsid the user information return.
Even when change code to
(&(objectClass=user)(objectCategory=person)(Objectsid=*))
that should return all users, but no user are returned
LDAP is case-sensitive, and the proper spelling of that attribute you're trying to use is objectSid (not Objectsid) - so try this filter:
(&(objectClass=user)(objectCategory=person)(objectSid=*))
I have Organic Groups installed on my Drupal website. I created groups and a group content type. In the group content type I have an OG Reference field to refer to the group it can belong. However, this field also automatically shows a "Other groups" field. How can I remove this "Other groups" field, as I do not want to enable users to choose other groups to fill in.
Thanks!
You can hide it by using hook_field_widget_form_alter():
/**
* Implements hook_field_widget_form_alter().
*/
function fr_groups_field_widget_form_alter(&$element, &$form_state, $context) {
// Hide "Other groups" table for group selection.
if ($element['#field_name'] == 'og_group_ref' && isset($element['admin'])) {
$element['admin']['#access'] = FALSE;
}
}
The "Other groups" field is only visible to users with "Administer Group" permissions. This permission is under:
/drupal/admin/config/group/permissions/node/%node%
I wouldn't worry about this since regular users won't see this but if you want this removed you can remove this field for ALL users by removing ALL roles from Administer Group permissions. Just unselect the option in the above mentioned URL.