LDAP Query against Active Directory

Asif2000 · November 3, 2005, 8:02pm

If anyone knows how to get a list of all the groups to which a particular user belongs to using LDAP query against Active Directory on windows environment, please let me know. Assume that you have the user id available as an only input.

I need this urgently. I don’t care if its ADSI dialect or SQL dialect (i.e. with ADO)

I already have a LDAP query that works and returns ALL the groups without the user id filter.

Thanks

Kaleem · November 3, 2005, 8:33pm

Re: LDAP Query against Active Directory

Asif...how about this command:

ifmember

TofiBaba · November 3, 2005, 10:20pm

Re: LDAP Query against Active Directory

well, if u have XP u can use the "dsget" query to get the membership:
e.g. "dsget user "CN=FULLNAME,OU=OUNAME,DC=DOMAIN,DC=com" -memberof"

replace OUNAME and DOMAIN, and use the right extension. There's vb scripts that can help you there as well.
In the same series there are other "ds***" apps, e.g. dsquery, dsadd, etc.

TofiBaba · November 3, 2005, 10:53pm

Re: LDAP Query against Active Directory

BTW, all the -memberof info is saved in the ADSI info of a user, in a field called "memberOf" (dohh!!). Just thought i'd mention that.

Asif2000 · November 3, 2005, 11:09pm

Re: LDAP Query against Active Directory

Tofi,

I am new to ADSI and this really helped.

I am using the following query using ADO

sUserId = "johndoe"
sQuery = "SELECT sAMAccountName, memberOf FROM '" & "LDAP:// dc=company,dc=com" & "' WHERE sAMAccountName = '" & sUserId & "'"

This works great. I never knew that an ADO recordset can return back an array (memberOf is an array) as part of the fields collection.

Anyway, when I access the returned recordset.fields("memberOf").Value(0), I get the follwoing:

CN=PS Technology Management Practice,CN=Users,DC=company,DC=com

The whole string.

Instead I wonder if there is a way to just the actual group name only i.e. (PS Technology Management Practice part)

I can parse it out but I was just curious.

Thanks for the help.

TofiBaba · November 4, 2005, 3:59pm

Re: LDAP Query against Active Directory

I am not aware of any paramaters that would take the other parts out. The other backward way, if you don't wanna do the parsing is to do a 'dsget' or 'dsquery' against all the groups and if that name is present mark that group true or something similar. All depends on where u are running the query from and what you want to accomplish. There is a really good book on Active Directory called the Active Directory Cookbook by O'reilley that covers all kinds of stuff. Let me know if u wanna look thru it ;)

TofiBaba · November 4, 2005, 5:28pm

Re: LDAP Query against Active Directory

I really dig questions like this. Helps me learn too. Here’s another article I found about AD querying via C#:
http://www.codeproject.com/dotnet/QueryADwithDotNet.asp

Asif2000 · November 5, 2005, 12:00am

Re: LDAP Query against Active Directory

dot net makes it easier with directorysearcher object. I am dealing with an enhancemnet for an old app that was written in vb6.

Read this too while u are at it.

Thanks for your help again. I made progress yesterday, and won’t be back to work until Monday. I still need to write more queries for nested groups and to avoid infinite looping due to recursively nested groups.

Happy Eid.

coOoLBreeze · November 6, 2005, 8:09am

Re: LDAP Query against Active Directory

and let me know, if you want to have a soft copy of it :)..

Good replies TB.

Asif2000 · November 7, 2005, 3:42pm

Re: LDAP Query against Active Directory

CB,

I would love to have a soft copy!!!

Do you have it somewhere I can download it from or do you want me to send you my email addy?

fayax · November 14, 2005, 8:33am

Re: LDAP Query against Active Directory

When the actual group whose membership we are trying to find is 10 OU levels deep then what exactly do you put for the OU. Do you keep doing ou=something, ou=the next something?

Were my questions clear?

TofiBaba · November 14, 2005, 3:42pm

Re: LDAP Query against Active Directory

Yes you keep doing OU something. e.g.
"CN=GROUPNAME, OU=OU1, OU2, OU3, DC=DOMAIN, DC=COM"
Tree-view would be:
-DOMAIN.COM
---OU3
-----OU2
-------OU1
---------GROUPNAME

fayax · November 14, 2005, 3:56pm

Re: LDAP Query against Active Directory

Thanks Tofi.

coOoLBreeze · November 15, 2005, 5:15am

Re: LDAP Query against Active Directory

^^ for a general search like if you want to know all the groups in your AD then it should be
something like that..

Examples:
To find all groups in the current domain whose name startswith "ms" and whose description starts with "admin",and display their DNs:
dsquery group domainroot -name ms* -desc admin*

Find all groups in the domain given by dc=microsoft,dc=com
and display their DNs:
dsquery group dc=microsoft,dc=com

aahmed · November 16, 2005, 4:53pm

Re: LDAP Query against Active Directory

Hey Asif, this scripty will take care of your whole issue:

strDomain = "LDAP://dc=xxx,dc=xxx"
strUser = "enter the user name here"

Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection

strFilter = "(&(objectCategory=person)(sAMAccountName=" & strUser & "))"
strAttributes = "DistinguishedName"
strQuery = strDomain & ";" & strFilter & ";" & strAttributes & ";subtree"

objCommand.CommandText = strQuery

Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("DistinguishedName").Value
Set objUser = GetObject("LDAP://" & strDN)

For Each strGroup In objUser.MemberOf
Set objGroup = GetObject("LDAP://" & strGroup)
WScript.Echo objGroup.sAMAccountName
Next

objRecordSet.MoveNext
Loop