87

How can I use a a search filter to display users of a specific group?

I've tried the following:

(&
    (objectCategory=user)
    (memberOf=MyCustomGroup)
)

and this:

(&
    (objectCategory=user)
    (memberOf=cn=SingleSignOn,ou=Groups,dc=tis,dc=eg,dc=ddd,D‌​C=com)
)

but neither display users of a specific group.

RobSiklos
  • 8,348
  • 5
  • 47
  • 77
Madam Zu Zu
  • 6,437
  • 19
  • 83
  • 129

4 Answers4

131

memberOf (in AD) is stored as a list of distinguishedNames. Your filter needs to be something like:

(&(objectCategory=user)(memberOf=cn=MyCustomGroup,ou=ouOfGroup,dc=subdomain,dc=domain,dc=com))

If you don't yet have the distinguished name, you can search for it with:

(&(objectCategory=group)(cn=myCustomGroup))

and return the attribute distinguishedName. Case may matter.

Timothy Gonzalez
  • 1,802
  • 21
  • 18
Kodra
  • 1,576
  • 1
  • 10
  • 6
  • 6
    Typically in Active Directory you have a number of Organizational Units that contain the structure. The default root OU for groups is Groups. It's likely that cn=MyCustomGroup,ou=Groups,dc=subdomain,dc=domain,dc=com will work for you. If it doesn't I would recommend doing an LDAP search for your group (&(objectCategory=group)(cn=MyCustomGroup)) and including the distinguishedName attribute in the result set. That will tell you exactly what string to use in your other query – Kodra Mar 27 '12 at 13:13
  • 1
    i did what you said, but i got no results back using the following: (&(objectCategory=user)(memberOf=cn=SingleSignOn,ou=Groups,dc=tis,dc=eg,dc=ddd,DC=com)) – Madam Zu Zu Mar 27 '12 at 13:16
  • 1
    Did you try doing a search for your group to make sure you have the right DN? My filter would be (&(objectCategory=group)(cn=SingleSignOn)) and the property would be "distinguishedName". Make sure you are searching from the root of the Domain, not the User OU (which you might be doing if your filter is for users only). You can take the distinguishedName from that query and plug it directly in to your user query. – Kodra Mar 27 '12 at 13:29
  • uugghhh. i think it was case sensitive... seems to be working now!!! :)) thanks!!!!!!!!!!! – Madam Zu Zu Mar 27 '12 at 14:20
  • I don't think casing is the problem it's the whitespace. – Timothy Gonzalez May 25 '17 at 15:35
  • @Kodra Would this be the value of the -b parameter inside a ldapsearch in the terminal? Would you care to look at this: ldapsearch -x -D "cn=Camilo Q Barrero P789677,OU=Users,OU=Technology,OU=Head Office,OU=Accounts,OU=Production,DC=aur,DC=national,DC=com,DC=au" -w Teri3torz -H ldap://ldapaur.aur.national.com.au -b OU=Applications,OU=NAB,OU=Groups,OU=Production,DC=aur,DC=national,DC=com,DC=au "(&(objectClass=user)(memberOf=CN=NAB-Application-ContactCentre-NAB-PAC-Agent,OU=Applications,OU=NAB,OU=Groups,OU=Production,DC=aur,DC=national,DC=com,DC=au))" – Camilo Jul 19 '19 at 05:35
12

For Active Directory users, an alternative way to do this would be -- assuming all your groups are stored in OU=Groups,DC=CorpDir,DC=QA,DC=CorpName -- to use the query (&(objectCategory=group)(CN=GroupCN)). This will work well for all groups with less than 1500 members. If you want to list all members of a large AD group, the same query will work, but you'll have to use ranged retrieval to fetch all the members, 1500 records at a time.

The key to performing ranged retrievals is to specify the range in the attributes using this syntax: attribute;range=low-high. So to fetch all members of an AD Group with 3000 members, first run the above query asking for the member;range=0-1499 attribute to be returned, then for the member;range=1500-2999 attribute.

sigint
  • 1,842
  • 1
  • 22
  • 27
  • 1
    Don't forget to specify `(CN=GroupCN)`. I tried to request all groups and it didn't work until I specified this. Also you can use asterisk when you specify the range: `member;range=1500-*` - it also works good. – Stalinko Jul 26 '16 at 10:30
  • Hi @Stalinko, what if a group does not have a CN? I have groups that only have OU and DC attributes. – alucor-it Jan 05 '22 at 10:49
  • Any valid LDAP query that Active Directory supports ought to work -- there's a sample list of these at https://ldapwiki.com/wiki/Active%20Directory%20Group%20Related%20Searches On the other hand, it's a bit unusual for a Group to not have a CN, which attribute is the "base name" of the Group in your case? – sigint Jan 05 '22 at 12:00
4

If the DC is Win2k3 SP2 or above, you can use something like:

(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com))

to get the nested group membership.

Source: https://ldapwiki.com/wiki/Active%20Directory%20Group%20Related%20Searches

RobSiklos
  • 8,348
  • 5
  • 47
  • 77
0

And the more complex query if you need to search in a several groups:

(&(objectCategory=user)(|(memberOf=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf=CN=GroupTwo,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf=CN=GroupThree,OU=Security Groups,OU=Groups,DC=example,DC=com)))

The same example with recursion:

(&(objectCategory=user)(|(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupTwo,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupThree,OU=Security Groups,OU=Groups,DC=example,DC=com)))

paveldroo
  • 828
  • 9
  • 14
  • 2
    Is there a way to simplify this query is I just want *all* the members of *all* Group CNs w/in that same subpath? Eg. something like `memberOf=CN=*,OU=mygroups,OU=groups,DC=subdomain,DC=domain,DC=com`. – lampShadesDrifter Apr 06 '21 at 05:17