Active Directory membersOf membersOf Group (nested memberOf)

Question

Let me start with a basic layout of our Active Directory:

DC=com
    DC=example
        OU=Groups
            CN=MaxGroups
            CN=MaxAdmins
            CN=MaxSupers
            CN=MaxTechs
            ...
        OU=ServiceAccounts
            CN=maxadmin
            CN=maxreg
            CN=mxintadm
            ...
        OU=Users
            CN=userA
            CN=userB
            ...

The way we have it configured is that the MaxAdmins group, MaxSupers group, and MaxTechs group are all members of the MaxGroups group (we HAD to do it this way to meet certain company guidelines). We have 3 services accounts (maxadmin, maxreg, and mxintadm) as well as a bunch of users that are members of one of those three groups (MaxAdmins, MaxSupers, and MaxTechs). What I needed to develop was two queries. One to get the groups (that was easy) and one to get all the users that are members of one of those groups.

Now I know that I could do a User query like:

(&
    (objectcategory=user)
    (|
        (memberOf=CN=MaxAdmins,...)
        (memberOf=CN=MaxSuper,...)
        (memberOf=CN=MaxTech,...)
    )
)

However, in the future, we may be adding more groups and I don't want to have to keep updating the User query with more "OR"'d groups. I'd like to do it like this "pseudocode" below:

Users that are members of a group that is a member of MaxGroups.

Essentially I want a query that would find all groups that are part of MaxGroups and then a list of any user that is a member of any of those groups. Is this possible? Everything I've come across in a ton of Google search for "nested memberOf" is about trying to generate a list of all groups that a user is a member of, NOT a list of users that are members of a member of a group!

Any and all help would be greatly appreciated!

Thanks!

Answer 1

Take a look at the in-chain matching rule - https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx. This will get you what you want.