LDAP group membership (including Domain Users)
How can I get a list of users within an LDAP group, even if that group happens to be the primary group for some users?
For example, suppose "Domain Users" is "Domain Leute" in German. I want all members of "CN=Domain Leute,DC=mycompany,DC=com". How would I know that is the well-known "Domain Users" group?
Or what if some users' primary group was changed to "CN=rebels,DC=mycompany,DC=com", and I wanted to get members of THAT group? Users don't have a memberOf property for their primary group, and the primary group won't have a member property listing them.
This is what I see when viewed via LDAP (ie, no MS extensions):
You need to find out primaryGroupToken from the Group object first. If you are using ADSIEdit, you need to make sure you have "Constructed" filter on to see this calculated attribute. For Domain Users, the primaryGroupToken should be 513.
Then, you neeed to find all the users with primaryGroupID set to this value. Here is the ldap query you should write to find out all users with Domain Users set as the primary group.
(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))
EDIT
Here is the steps to show primaryGroupToken in LDAP Browser. I am using LDAP browser 2.6 build 650. Right click your profile and click properties
Go to LDAP Settings tab and click Advanced button.
Add an extra operational attribute primaryGroupToken
Click Apply button and close the properties page. Now, you should see the primaryGroupToken in your group object.
- Print Local Group Members in PowerShell 5.0
- Get current computer's distinguished name in powershell without using the ActiveDirectory module
- Best PowerShell method to get the current Active Directory Site name of the local computer
- NetBIOS domain of computer in PowerShell
- How to connect to Active Directory via LDAPS in C#?
- How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?
- unresolved external symbol IID_IADs?
- Web API 2 Controller isn't picking up IPrincipal.User.Identity.Name
- How to get all groups that a user is a member of?
- Why am I getting 'System.__ComObject' from my LDAP property?
- PowerShell Find Members of Two Specific AD Groups
- C# Cannot connect to AD using LDAPS
- Get users that are 'memberof' a group
- Login failed for user identified principal
- How to make requests to local-hosted Azure Devops Server pats API?
- Powershell Foreach Get-ADGroupMember on Array of Group Names Not Returning Consistent Results
- Execute a RESTAPI request from Powershell using the credentials of the user logged into the windows machine(AD Credential's)
- How to automatically update data from outlook to sql using c#, When someone rejects my meeting request it should be updated to my database
- Is there a canonical place to store arbitrary key/value pairs in Active Directory
- Change Identity Source for Azure Accounts and Groups
- Is context need to be closed explicity in LDAP connection pooling
- Keycloak adapter not able retrieve current username from windows AD logged-in user
- Reset Active Directory password using Python and ldap3
- Get user's non-truncated Active Directory groups from command line
- Import Data issue from CSV to AD
- Renaming Azure Active Directory
- Enumerate all users including SIDs
- PowerShell Out-GridView result
- How to get list of Active Directory group names beginning with "ABC_" in PowerShell?
- Web-based LDAP Browser