2015/04/30

LDAP queries for nested groups in AD


This gets all members of a domain:
ldapsearch -b "dc=mydomain,dc=com" -D "cn=myadminaccount,ou=Users,dc=mydomain,dc=com" -H ldap://mydomaincontroller/ -W -x "(objectclass=user)" cn

This gets all members (of any type) of a given group, with no recursion -- no handling of nested groups:
ldapsearch -b "dc=mydomain,dc=com" -D "cn=myadminaccount,ou=Users,dc=mydomain,dc=com" -H ldap://mydomaincontroller/ -W -x "(memberOf:=cn=mygroup,ou=groups,dc=mydomain,dc=com)" cn

This gets all objects of type "user" that belong to a given group, with no recursion -- no handling of nested groups:
ldapsearch -b "dc=mydomain,dc=com" -D "cn=myadminaccount,ou=Users,dc=mydomain,dc=com" -H ldap://mydomaincontroller/ -W -x "(&(objectclass=user)(memberOf:=cn=mygroup,ou=groups,dc=mydomain,dc=com))" cn

This gets all objects of type "user" that belong to a given group, recursing through child/nested groups:
ldapsearch -b "dc=mydomain,dc=com" -D "cn=myadminaccount,ou=Users,dc=mydomain,dc=com" -H ldap://mydomaincontroller/ -W -x "(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=mygroup,ou=groups,dc=mydomain,dc=com))" cn

This gets all objects (groups) of which the following user is a member, recursing through child/nested groups:
ldapsearch -b "dc=mydomain,dc=com" -D "cn=myadminaccount,ou=Users,dc=mydomain,dc=com" -H ldap://mydomaincontroller/ -W -x "(member:1.2.840.113556.1.4.1941:=(cn=My User,ou=users,dc=mydomain,dc=com))" cn

(see https://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx )

No comments: