Getting list of users indirectly members of an AD group through LDAP
Use Get-ADGroupMember with the -Recursive switch to get a listing of all members that do not contain child objects. This will dive down into members that have child object to get their members.
Example
$groupName = "Domain Admins"
$group = Get-ADGroup $groupName
$groupMembers = Get-ADGroupMember $group -Recursive
You need to query the group instead of the users because memberOf can give inconsistent results due to users being members of nested groups / roles / etc.
Related videos on Youtube
Stephane
Updated on September 18, 2022Comments
-
Stephane over 1 year
I'm having a bit of a problem with LDAP search that should specify whether a user is a member of a given AD group or not (recursively).
Basically, what I'm doing is issue a LDAP search with the following parameters:
get-aduser -LDAPFilter "(memberof:1.2.840.113556.1.4.1941:={group LDAP path})" -SearchBase "{AD LDAP base}"
This does yield the expected result: instead of getting all users who are directly or indirectly members of the group I'm searching for, I get all direct members of that group, plus a random selection of indirect members (members of groups that are member of the searched for group).
The list I'm getting seems arbitrary: I can't find any difference in group membership between two users who should be present in the result set but one is there and the other isn't.
(I need to solve this issue with LDAP search because the result will be used in an application, not through powershell. But using powershell in this way, I can reproduce the original problem in the way described).
-
jojojoj over 9 yearsHow many total entries are being returned so far? If its more than 5000(?) you could be hitting the ldap server search limit, and that may factor into the "randomness" of the result.
-
Stephane over 9 yearsIt's only a handlfull: about 10
-
Jeff Barnard over 8 yearsI think that query does not take into account Primary Group. As far as I know Primary Groups are not found by using "memberof" operator.
-
-
Stephane over 9 yearsThanks for the answer but what I'm actually looking for is a LDAP query filter that will yield that same result (see my comment about how I intend to use the solution).
-
Chris DaMour almost 3 yearsdidn't know about the -Recursive option on that, nice..but is there a way to only get the groups that are members of the main group recursively?