LDP query for user groups nested?

Discussion in 'Active Directory' started by Eric - ARUP, Jul 13, 2005.

  1. Eric - ARUP

    Eric - ARUP Guest

    Hello

    Is it possible to query AD for a user to get the groups he is a member of,
    and if any of those groups are nested then also return those uplevel groups
    as well.

    Currently testing this we query the user and get his memberOf, but unless we
    query each group we dont get the uplevel groups for those that are nested
    without a seperate query.

    thanks
    e-
     
    Eric - ARUP, Jul 13, 2005
    #1
    1. Advertisements

  2. I'd initially suggest submitting something along the lines of the
    following query -

    base dn: <user object>
    scope: base
    filter: obectclass=*
    attributes: tokenGroups

    .... note that the scope of the query must be 'base' since tokenGroups is
    a constructed attribute and the DSA will not return its value with
    larger result sets.

    Does this suffice?
     
    Dean Wells [MVP], Jul 13, 2005
    #2
    1. Advertisements

  3. Eric - ARUP

    Eric - ARUP Guest

    It makes sense but returns no results, as follows

    **Searching...
    ldap_search_s(ld, "CN=users,DC=Domain,DC=net", 0, "objectclass=*", attrList,
    1, &msg)
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:

    I am using LDP currently, is the syntax for the options > attributes just
    'tokenGroups'?

    thank you for your help
    e-

     
    Eric - ARUP, Jul 13, 2005
    #3
  4. In my earlier post you'll notice I mentioned that the base object DN
    within the search MUST be the user itself, not the parent OU or
    container. As such, if you wish to perform this action against many
    users, you'll need to re-iterate the query against each individually ...
    though I realize this seems an expensive action, it is curently a
    requirement.

    --
    Dean Wells [MVP / Directory Services]
    MSEtechnology
    [[ Please respond to the Newsgroup only regarding posts ]]
    R e m o v e t h e m a s k t o s e n d e m a i l
     
    Dean Wells [MVP], Jul 13, 2005
    #4
  5. No you can't recursively gather group memberships with a single query other than
    as Dean suggests using tokenGroups. Note that this will not chase into nesting
    into other domains.

    Yes it is painful.
     
    Joe Richards [MVP], Jul 14, 2005
    #5
  6. Eric - ARUP

    Al Mulnick Guest

    It is painful. It is where script can be useful and your logic is correct
    that you need to query each additional group similar to this:
    http://www.rlmueller.net/Programs/EnumGroup.txt

    I've since modified a version similar to this that's used for group
    memberships only i.e. query a group and ask it for all of its members and
    chase those membrs that are groups then munge. Found it useful for tracking
    and auditing group memberships to find out if low-level groups were being
    given permission via membership to high-level permissioned groups. Some very
    useful logic in the above link.

    Anyhow, you can see the logic flow in the above example of a script. I
    haven't tested it across domains, but the concept should work just fine.


    Al
     
    Al Mulnick, Jul 14, 2005
    #6
  7. Eric - ARUP

    Al Mulnick Guest

    I almost forgot.

    This is far more difficult than it should be right? So why don't you tell
    Microsoft about it for their upcoming .NET DSAPI for 2.0? They were asking
    for feedback about how it would be used etc and could use feedback like
    this.

    The deadline is the 15th but it's only a few questions (don't mind the count
    in the doc, it's incorrect). The request was posted by Kannan C. Iyer
    [MSFT] on 7/7/2005.

    Al
     
    Al Mulnick, Jul 14, 2005
    #7
  8. Eric - ARUP

    Eric - ARUP Guest

    ok i corrected it as you stated, sorry i am not a heavy ldap user. I reran
    the query and it does return the tokenGroups attribute. However each item
    says <ldp: Binary blob>;

    what is this or what does it mean? and is there a way to return the data in
    readable format?

    thank you for the help
    e-

     
    Eric - ARUP, Jul 14, 2005
    #8
  9. I'm guessing you've got a legacy version of LDP, install a later
    version, for example, the binary that ships with Microsoft's ADAM (query
    google for download ADAM).

    Oh, almost forgot ... I'll get smacked if I don't remember to also
    mention that there's a great (and free) command line utility written by
    a friend of mine called ADfind ... you can get that
    http://www.joeware.net - it'll do more for you than you'd possibly ever
    want, well worth it ... "you happy now Joe?" ;o)

    --
    Dean Wells [MVP / Directory Services]
    MSEtechnology
    [[ Please respond to the Newsgroup only regarding posts ]]
    R e m o v e t h e m a s k t o s e n d e m a i l
     
    Dean Wells [MVP], Jul 14, 2005
    #9
  10. Hi,

    I have a sample VBScript program that uses tokenGroups to determine group
    memberships linked here:

    http://www.rlmueller.net/IsMember4.htm

    This program checks group membership, rather than enumerating them, but it
    could be modified. tokenGroups work greats, but the values are OctetString
    (byte arrays). This multi-valued attribute is a collection of group Sids. In
    the example I bind to each group (using the Sid) to determine the group
    name. I save the names in a dictionary object. To enumerate the groups, you
    could enumerate the dictionary object.

    An ldp query that returns tokenGroups would not display group names.
     
    Richard Mueller [MVP], Jul 14, 2005
    #10
  11. Joe Richards [MVP], Jul 14, 2005
    #11
  12. Good job Dean, I know that hurt.
     
    Joe Richards [MVP], Jul 14, 2005
    #12
  13. Eric - ARUP

    Al Mulnick Guest

    What took you so long to create one? Sheesh, it would have been nice to
    know earlier ;)
     
    Al Mulnick, Jul 14, 2005
    #13
  14. Eric - ARUP

    Eric - ARUP Guest

    I seem to be returning errors, i think my syntax may be wrong.

    adfind -h DomainController -simple -s base -b CN=LName\,
    FName,CN=Users,DC=Domain,DC=net -f objectclass=* tokenGroups

    AdFind V01.26.00cpp Joe Richards (@) February 2005

    LDAP_SEARCH_S: 0x1
    LDAP_SEARCH_S: Operations Error


    sry not a big ldap user.
    e-
     
    Eric - ARUP, Jul 14, 2005
    #14
  15. Is that the literal syntax you entered or have you abstracted some of it
    to protect to the innocent ... so to speak? If so, the '-h' argument
    should be followed by the name, fqdn (fully qualified domain name) or
    address of one of your Domain Controllers, not the word
    'DomainController'.
     
    Dean Wells [MVP], Jul 14, 2005
    #15
  16. Eric - ARUP

    Eric - ARUP Guest

    Yes the DomainController, LName, FName and Domain, have all been changed to
    protect the innocent. a FQDN is being used behind the -h

    e-

     
    Eric - ARUP, Jul 14, 2005
    #16
  17. I expect it may be that you need to quote the base DN because of a space being
    in it.
     
    Joe Richards [MVP], Jul 15, 2005
    #17
  18. Hell Al, I put that out on the website back in 2002/2003... I have seen it
    written up in "Windows IT Pro / Windows Dot Net / Windows 2000 / whatever other
    names they have had magazine" multiple times.
     
    Joe Richards [MVP], Jul 15, 2005
    #18
  19. Eric - ARUP

    Eric - ARUP Guest

    Thats it!, thanks. Its now returning sid's, which is something i can work
    with.

    thank you
    e-
     
    Eric - ARUP, Jul 15, 2005
    #19
  20. Excellent.
     
    Joe Richards [MVP], Jul 15, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.