1

I'm attempting to find out if a user is an indirect member of a specific AD group. This is done from a Delphi XE5 program but, for clarity, I have written (and tested) my samples in PowerShell.

Unfortunately, I receive completely inconsistent results from my LDAP queries: the same query will sometime work fine and, sometimes, return that the user isn't member of the given group.

Here is a (powershell) sample of what I'm attempting:

get-aduser -LDAPFilter "(memberof:1.2.840.113556.1.4.1941:=CN=egaa_app,OU=Applications,OU=access,OU=groups,OU=xxx,DC=xxx,DC=xxx,DC=xxx)" -SearchBase "CN=usr-sgr,OU=expert1,OU=experts,OU=remoteusers,OU=users,OU=exogit,OU=xxx,DC=xxx,DC=xxx,DC=xxx"

The above command should return the user usr-sgr object if it is directly or indirectly member of the AD groupegaa_app,OU=Applications,OU=access,OU=groups,OU=xxx,DC=xxx,DC=xxx,DC=xxx

Yet, when I run it once, I get an empty result. If I open the user in the AD MMC and update it somehow (in my case, I changed the user's "primary group" and then changed it back), the same query successfully returns the user object.

I have also attempted to use the "reverse" query (which check if a given group contains the user indirectly) and I witnessed the same behavior.

All this was done on a member server (Windows 2008 R2, patched), from within the same login session.

Stephane
  • 3,173
  • 3
  • 29
  • 42

1 Answers1

1

I think I can explain this to you.

First a small recall of the LDAP_MATCHING_RULE_IN_CHAIN :

The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to provide a method to look up the ancestry of an object. An example of such a query is one designed to check if a user "user1" is a member of group "group1". You would set the base to the user DN (cn=user1, cn=users, dc=x) and the scope to base, and use the following query.

(memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x)

Here the attribute memberof is the one that is going to be searched in chain in each group object. Use the attribute editor from the 'user & computer active directory' MMC to follow this attribute :

AD attribute Editor

And then change the primary group, you will see that the new primary group disappear from the memberof attribute list, and the old one appear in the attribute.

Conclusion, the primary group is unsupported by the LDAP_MATCHING_RULE_IN_CHAIN.

In any case be careful to setup the scope -SearchScope in PowerSell.

By the way, for me, the best tool to test this kind of filter is LDIFDE.EXE.

ldifde -f c:\temp\test.ldif -d "CN=Jean-Paul Blanc,OU=Interne,OU=Silogix,DC=silogix,DC=local" -r "(memberof:1.2.840.113556.1.4.1941:=CN=bidon,OU=Interne,OU=Silogix,DC=silogix,DC=local)" -p base
JPBlanc
  • 70,406
  • 17
  • 130
  • 175
  • That's it! Thanks a lot. However, I'm wondering what is the proper way of programatically check if a user belongs to the given group. – Stephane Sep 25 '15 at 07:21
  • You've got the big picture, you just have to add the principal group. I gave some clues [here](http://stackoverflow.com/a/6441956/608772) – JPBlanc Sep 25 '15 at 08:52