Reputation: 2559
Active Directory: get the roles of a user
1)- I'm looking for the LDAP's query (Active Directory) to get roles (groups) of a given user without specifying the dinstinguished name of the user.
I'm able to get this using this request: (&(objectclass=group)(member:1.2.840.113556.1.4.1941:=cn=admin,ou=users,ou=OUTest,dc=example,dc=com))
but i don't want to specify the whole root to the user (ou=users,ou=OUTest,dc=example,dc=com).
2)- How i get the groups of a given user using "sAMAccountName" instead of Common name CN?
(*) member:1.2.840.113556.1.4.1941 is used to get all nested groups in Active Directory.
Thank you in advance.
Upvotes: 1
Views: 5238
Answers (1)
Reputation: 338118
The documentation about the 1.2.840.113556.1.4.1941 matching rule in ActiveDirectory is unambiguous. Emphasis mine:
1.2.840.113556.1.4.1941
LDAP_MATCHING_RULE_IN_CHAINThis rule is limited to filters that apply to the DN. This is a special "extended" match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.
It is not possible to use it with anything but a full DN because it matches against attributes that contain full DNs.
but i don't want to specify the whole root to the user
Though luck. ;)
Build your program in a way that lets the user work with something more convenient, for example samAccountName and translates this into a search string that has the full DN.
For example in Powershell:
function Get-ADUserGroups($username) {
if ($username) {
Get-ADUser $username | ForEach-Object {
$userDN = $_.DistinguishedName
$ldapFilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=$userDN))"
Get-ADObject -LDAPFilter $ldapFilter
}
}
}
Usage
Get-ADUserGroups userXYZ
Or, for the sake of it, the same thing in regular Windows batch (GetADUserGroups.bat):
@echo off
setlocal enabledelayedexpansion
set USER=%~1
if "%USER%" neq "" (
for /f "delims=" %%d in ('dsquery user -samid "%USER%"') do (
set "LDAP_FILTER=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%%~d))"
dsquery * -filter "!LDAP_FILTER!" -limit 1000
)
)
Usage
GetADUserGroups userXYZ
Upvotes: 1
Related Questions
- How can I retrieve all the roles (groups) a user is a member of?
- Query LDAP to get Role of a User
- how to get Roles associated with a user from asp.net FormsAuthentication object?
- Request a user's roles in AD when caller is not in domain
- Getting user roles/groups from Active Directory - mvc3
- Get all roles from AD LDS Programmatically
- Simple means to get user's roles from AD?
- How do I get the roles of a user using the Membership class
- Query active directory to get a user's roles in .NET
- Active Directory get users in role