LDAP query to get list of members in an AD group

Question

I checked a few posts asked the similar questions before, but none works for my case, not sure if something wrong on my side or it's the AD.

So I have security group at path:

CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm,AD

And in the MigratedUsers group, there is a member property with a few AD users in the group. I am trying to get the list of users, so I can iterate through them.

So in my base location I specified:

OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm

For the LDAP Filter I have:

(&(objectCategory=user)(memberOf=CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm))

The result returned 0 records.

I tried other combinations such as (&(objectCategory=group)(CN=MigratedUsers)), it doesn't work either.

So, could anyone point out to me if anything in my query is wrong or I need to start checking something else like AD settings etc.

Thank you.

Answer 1

Your first filter looks fine :

(&(objectCategory=user)(memberOf=CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm))

But the search base is not, (it's a group search base, while you want to retrieve user entries). The user base should look like this :

OU=Users,OU=National Organization,DC=abc,DC=firm

Answer 2

You're searching for users, but you set the base of the search to:

OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm

That tells it to only return users that are in the Azure Groups OU. I'm guessing that there are no users in that OU. Set the base of the search to the root of the domain (e.g. DC=abc,DC=firm), or just don't set it at all, since that will be the default.

Your first filter is the correct one (which has the full DN of the group).