Query to list all users of a certain group

active-directory ldap ldap-query

354,541

Solution 1

memberOf (in AD) is stored as a list of distinguishedNames. Your filter needs to be something like:

(&(objectCategory=user)(memberOf=cn=MyCustomGroup,ou=ouOfGroup,dc=subdomain,dc=domain,dc=com))

If you don't yet have the distinguished name, you can search for it with:

(&(objectCategory=group)(cn=myCustomGroup))

and return the attribute distinguishedName. Case may matter.

Solution 2

For Active Directory users, an alternative way to do this would be -- assuming all your groups are stored in OU=Groups,DC=CorpDir,DC=QA,DC=CorpName -- to use the query (&(objectCategory=group)(CN=GroupCN)). This will work well for all groups with less than 1500 members. If you want to list all members of a large AD group, the same query will work, but you'll have to use ranged retrieval to fetch all the members, 1500 records at a time.

The key to performing ranged retrievals is to specify the range in the attributes using this syntax: attribute;range=low-high. So to fetch all members of an AD Group with 3000 members, first run the above query asking for the member;range=0-1499 attribute to be returned, then for the member;range=1500-2999 attribute.

Solution 3

If the DC is Win2k3 SP2 or above, you can use something like:

(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com))

to get the nested group membership.

Source: https://ldapwiki.com/wiki/Active%20Directory%20Group%20Related%20Searches

354,541

Madam Zu Zu

Updated on July 05, 2022

Comments

Madam Zu Zu almost 2 years
How can I use a a search filter to display users of a specific group?

I've tried the following:
```
(&
    (objectCategory=user)
    (memberOf=MyCustomGroup)
)
```
and this:
```
(&
    (objectCategory=user)
    (memberOf=cn=SingleSignOn,ou=Groups,dc=tis,dc=eg,dc=ddd,D‌C=com)
)   
```
but neither display users of a specific group.
Kodra about 12 years

Typically in Active Directory you have a number of Organizational Units that contain the structure. The default root OU for groups is Groups. It's likely that cn=MyCustomGroup,ou=Groups,dc=subdomain,dc=domain,dc=com will work for you. If it doesn't I would recommend doing an LDAP search for your group (&(objectCategory=group)(cn=MyCustomGroup)) and including the distinguishedName attribute in the result set. That will tell you exactly what string to use in your other query
Madam Zu Zu about 12 years

i did what you said, but i got no results back using the following: (&(objectCategory=user)(memberOf=cn=SingleSignOn,ou=Groups,d‌c=tis,dc=eg,dc=ddd,D‌C=com))
Kodra about 12 years

Did you try doing a search for your group to make sure you have the right DN? My filter would be (&(objectCategory=group)(cn=SingleSignOn)) and the property would be "distinguishedName". Make sure you are searching from the root of the Domain, not the User OU (which you might be doing if your filter is for users only). You can take the distinguishedName from that query and plug it directly in to your user query.
Madam Zu Zu about 12 years

uugghhh. i think it was case sensitive... seems to be working now!!! :)) thanks!!!!!!!!!!!
Stalinko almost 8 years

Don't forget to specify (CN=GroupCN). I tried to request all groups and it didn't work until I specified this. Also you can use asterisk when you specify the range: member;range=1500-* - it also works good.
Timothy Gonzalez almost 7 years

I don't think casing is the problem it's the whitespace.
Camilo almost 5 years

@Kodra Would this be the value of the -b parameter inside a ldapsearch in the terminal? Would you care to look at this: ldapsearch -x -D "cn=Camilo Q Barrero P789677,OU=Users,OU=Technology,OU=Head Office,OU=Accounts,OU=Production,DC=aur,DC=national,DC=com,D‌C=au" -w Teri3torz -H ldap://ldapaur.aur.national.com.au -b OU=Applications,OU=NAB,OU=Groups,OU=Production,DC=aur,DC=nat‌ional,DC=com,DC=au "(&(objectClass=user)(memberOf=CN=NAB-Application-ContactCen‌tre-NAB-PAC-Agent,OU‌=Applications,OU=NAB‌,OU=Groups,OU=Produc‌tion,DC=aur,DC=natio‌nal,DC=com,DC=au))"
lampShadesDrifter about 3 years

Is there a way to simplify this query is I just want all the members of all Group CNs w/in that same subpath? Eg. something like memberOf=CN=*,OU=mygroups,OU=groups,DC=subdomain,DC=domain,D‌C=com.
alucor-it over 2 years

Hi @Stalinko, what if a group does not have a CN? I have groups that only have OU and DC attributes.
sigint over 2 years

Any valid LDAP query that Active Directory supports ought to work -- there's a sample list of these at ldapwiki.com/wiki/… On the other hand, it's a bit unusual for a Group to not have a CN, which attribute is the "base name" of the Group in your case?