All geek questions in one place

Join an LDAP group (including domain users)

How can I get a list of users in an LDAP group, even if this group is the main group for some users?

For example, suppose "Domain Users" are "German Leute Domain". I want all the members of "CN = Domain Leute, DC = mycompany, DC = com". How do I know that this is a well-known group "Domain Users"?

Or what if the primary user group was changed to "CN = rebels, DC = mycompany, DC = com", and I wanted to get members of the THAT group? Users do not have a memberOf property for their main group, and the main group will not have a member property listing them.

This is what I see when browsing through LDAP (i.e. no MS extensions): alt text

+4
source share
3 answers

First you need to find out primaryGroupToken from the Group object. If you use ADSIEdit, you need to make sure that you have a "Constructed" filter to see this computed attribute. For domain users, primaryGroupToken must be 513.

Then you need to find all users with primaryGroupID set to this value. Here is the ldap request that you must write in order to find out all users with Domain Users defined as the primary group.

(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))

EDIT

Below are the steps to show primaryGroupToken in an LDAP browser. I am using LDAP browser 2.6 build 650. Right click on your profile and click on Properties

alt text

Go to the "LDAP Settings" tab and click on the "Advanced" button.

alt text

Add optional operational attribute primaryGroupToken

Click the Apply button and close the properties page. You should now see primaryGroupToken in your group object.

alt text

+4
source

To get primaryGroupToken from any given group, extract it from objectSid, for example, Users of the domain objectSid = S-1-5-21-704657944-2065781323-617630493-513 , then primaryGroupToken is the last digits after the "-", so in the case of Users of the domain "its 513

+5
source

This is the PS script I made for this:

 [void][System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices"); $groupName = "Grupo Domain"; $directoryEntry = New-Object System.DirectoryServices.DirectoryEntry; $directorySearcher = New-Object System.DirectoryServices.DirectorySearcher($directoryEntry, "(&(objectClass=group)(CN=$groupName))"); [void]$directorySearcher.PropertiesToLoad.Add("objectSid"); [void]$directorySearcher.PropertiesToLoad.Add("member"); $result = $directorySearcher.FindOne(); if ($result -eq $null) { return; } # Try get the group members through the "member" property. if ($result.Properties["member"].Count -gt 0) { foreach ($member in $result.Properties["member"]) { $memberSearcher = New-Object System.DirectoryServices.DirectorySearcher($directoryEntry, "(&(objectClass=*)(distinguishedName=$member))"); [void]$memberSearcher.PropertiesToLoad.Add("msDS-PrincipalName"); $memberResult = $memberSearcher.FindOne(); if ($memberResult -eq $null) { continue; } Write-Output $memberResult.Properties["msDS-PrincipalName"]; } return; } if ($result.Properties["objectSid"].Count -gt 0) { # The group might be an AD primary group. Try get the members by the PrimaryGroupID. $groupSid = New-Object System.Security.Principal.SecurityIdentifier($result.Properties["objectSid"][0], 0); # Hacky way to get only the last RID. $primaryGroupSid = $groupSid.Value.Replace($groupSid.AccountDomainSid.ToString(), [String]::Empty).TrimStart('-'); $memberSearcher = New-Object System.DirectoryServices.DirectorySearcher($directoryEntry, "(&(objectClass=*)(primaryGroupId=$primaryGroupSid))"); [void]$memberSearcher.PropertiesToLoad.Add("msDS-PrincipalName"); $memberResult = $memberSearcher.FindAll(); if ($memberResult -eq $null) { continue; } foreach ($member in $memberResult) { Write-Output $member.Properties["msDS-PrincipalName"]; } }
0
source

Source: https://habr.com/ru/post/1332141/

More articles:


All Articles