0

I am using the following query to pull the groups that a username belongs to:

Set Conn = CreateObject("ADODB.Connection")
Set Comm = CreateObject("ADODB.Command")
Conn.Provider = "ADsDSOObject"
Conn.Open "Active Directory Provider"
Set Comm.ActiveConnection = Conn
Comm.Properties("Searchscope") = 2

FQDN = "DC=" & Replace(FQDN, ".", ",DC=")

Base = "<LDAP://" & Server & "/" & FQDN & ">"
Fltr = "(&(objectClass=*)" & "(sAMAccountName=" & Username & "))"
Attr = "SAMAccountName, memberof"
Scope = "subtree"

Comm.CommandText = Base & ";" & Fltr & ";" & Attr '& ";" & Scope

Set Response = Comm.Execute

This works except that it's not returning all the groups that a user belongs to. I have a user, call him "Kyle", that belongs to "Domain Users" and another group called "RDOC Group" but only the second group is being returned in my query.

I feel like this is a simple thing but changing the scope doesn't seem to be the answer, nor does modifying the filter (at least that I've tried).

Any ideas?

Tchotchke
  • 399
  • 1
  • 2
  • 18
  • Is the user a direct member in both groups (ie. not via a nested group) ? – Tim Williams Feb 23 '18 at 01:48
  • I will have to check when I get back to the office. I'd bet it's a nested group though because our AD security group management has been horribly neglected for several years. If it were, will I only get the highest group? – Tchotchke Feb 23 '18 at 03:12
  • Maybe look at https://stackoverflow.com/questions/6195812/ldap-nested-group-membership – Tim Williams Feb 23 '18 at 03:28
  • Or a permission error. I'm d'd if I know how it got that way, but I can't qet group membership for some groups for some users because the query owner doesn't have permission to see that information! Otherwise identical users, group membership shows ok in other contexts, but my AD query reports non-membership until I go in and change the permission on that data element. – david Feb 23 '18 at 09:07
  • @TimWilliams, It is nested groups. Domain Admins is a part of the RDOC Group security group. I'll take a look at that link and see if I can glean anything from it. – Tchotchke Feb 26 '18 at 16:44

0 Answers0