0

I'm writing a C# method to fetch a user's group membership. I need to know, for each group, whether the user is a direct, or an indirect (due to group nesting) member.

My first attempt:

groupSearch.Filter = $"(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={userDistinguishedName})

This fetches both direct and indirect group memberships, but there is not way to distinguish the groups as direct or indirect.

My next attempt will be to get a list of only direct memberships, and another list of only indirect memberships, and then concatenate them. I know that a list of direct-only memberships can be fetched with the following filter:

groupSearch.Filter = $"(&(objectCategory=group)(member={userDistinguishedName})

Is there an equivalent way to get a list of indirect memberships? For example:

groupSearch.Filter = $"(&(objectCategory=group)(member-indirect={userDistinguishedName})

From the documentation it doesn't appear to be possible.

Kev
  • 2,656
  • 3
  • 39
  • 63

2 Answers2

0

The only solution that I have found, is to fetch a list of direct memberships and a list of all memberships from AD, and to take the intersection of the two lists (based on the groups' objectGUID), which results in a list of indirect memberships:

var userADGroups = _user.FindUserGroups(distinguishedName);
var userADGroups_directOnly = _user.FindUserGroups(distinguishedName, directMembershipOnly: true);
var userADGroups_indirectOnly = userADGroups.Where(x => userADGroups_directOnly.All(y => x.ObjectGuid != y.ObjectGuid));
Kev
  • 2,656
  • 3
  • 39
  • 63
0

Try with using LDAP_MATCHING_RULE_IN_CHAIN

LDAP_MATCHING_RULE_IN_CHAIN is a matching rule is designed to provide a method to look up the ancestry of an object. Many applications using AD usually work with hierarchical data.

An example of such a query is one designed to check if a user "user1" is a member of group "group1". You would set the base to the user DN (cn=user1, cn=users, dc=x) and the scope to base.

(memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x)

find all the groups that "user1" is a member of, set the base to the groups container DN; for example (OU=groupsOU, dc=x) and the scope to subtree.

(member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)

For more details refer this document Ans and SO Thread

ShrutiJoshi-MT
  • 1,622
  • 1
  • 4
  • 9