21

I have a .net web application which needs to obtain the groups a user is a member of in Active Directory.

Todo this I am using the memberOf attribute on the users records.

I need to know the permissions required to read this attribute on all users records.

Currently I am getting inconsistent results when trying to read this attribute. For example I have a user group of 30 users in the same OU path. Using my own credentials to query AD - I can read the memberOf attribute for some users but not others. I know all the users have a memberOf attribute set as I have checked when logged on with a domain admin account.

Adam Jenkin
  • 323
  • 1
  • 2
  • 5

2 Answers2

32

On your domain object, you need to assign the querying user the "Read MemberOf" right to User objects.

  • Open AD U&C browse to your domain object
  • Right click and go to properties:

    adu-n-c-domain
    (source: sysadmin1138.net)


  • Security tab, click Advanced
  • Click Add
  • Enter the user name to add
  • Click the Properties tab
  • In 'Apply Onto' change the type to User
  • Click the "Read MemberOf" checkbox:

    ldap-read-member-of
    (source: sysadmin1138.net)


  • OK out of there

That should set it up so that the specified account can read the group memberships of all User accounts in the domain.

Glorfindel
  • 1,213
  • 4
  • 15
  • 22
sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • 2
    Thanks sysadmin - I still cannot see a security tab when clicking properties on my test domain (its a server 2003 vm - set up by me.. a developer :P so could be wrong).. heres a picture of the properties screen I see. http://tinypic.com/r/10p7cdy/4 – Adam Jenkin Aug 05 '10 at 16:38
  • 10
    Ah, that's it. Go to View and select Advanced Features. It'll show up once that's turned on. I always have that on so I forget that it's there :} – sysadmin1138 Aug 05 '10 at 16:51
  • FWIW, this does not seem to apply to Windows Server 2012 where the Add dialog is quite different. – Chris Nelson May 19 '16 at 17:47
  • For the benefit of any users on Server 2008R2, these instructions are equally applicable, but the property tab is slightly different than what is described/pictured. The setting is labeled "Apply to:" and the correct value is "Descendant User Objects". All other instructions remain the same. – jmbpiano Mar 05 '18 at 18:13
  • Many, many permissions... http://sysadmin1138.net/images/ldap-read-member-of.png – Kiquenet Jul 14 '18 at 09:34
3

I had a similar issue and solved it on another level with a request to the AD:

(&(objectClass=group)(objectClass=top)(member=UserDN))

for the "dn" attribute.

As groups are readable by default, this will return an equal result to the "membersOf" property.

I know this is not really an answer to the permission question, but i landed here searching for a way to get the memberOf property without a permission-change in AD.

Christopher
  • 131
  • 3