I am querying AD with cn='group_name' and I am getting all the members of group
which contains only CN='Employeeid'. But is it possible to get all members
details which includes firstname, email, lastname of members of group in one query?
Asked
Active
Viewed 669 times
0
1 Answers
0
Usually works on most installations of Microsoft Active Directory the query:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)
Returning the list attribute you want to see:
givenname sn mail etc.
jwilleke
- 10,467
- 1
- 30
- 51
-
This will be the fastest way, but just be aware that if you're in an environment that has more than one domain in your AD forest, and the group you're working with has a scope of Domain Local or Global, then you won't find users from other domains. – Gabriel Luci Oct 29 '18 at 01:13
-
is there any specific place to query this?I am querying at groups level and getting empty set of results.Please tell me is there any good ldap clients are available(Mac).I am using JXplorer client.And what is this :1.2.840.113556.1.4.1941:? – Test Mail Oct 29 '18 at 19:46
-
That magic number is a matching rule object identifier (OID) called `LDAP_MATCHING_RULE_IN_CHAIN`. It tells the server to make a recursive search. When applied to `memberOf` like this, it tells it to find all users that are members of that group, or are members of groups that are members of that group (nested groups). – Gabriel Luci Oct 30 '18 at 12:43
-
So if `GroupTwo` is a member of `GroupOne`, the search will return the users in `GroupTwo`. – Gabriel Luci Oct 30 '18 at 12:44
-
Can we add pagination in the same query?Because it is giving only first 1000 members.How to get next set of results? – Test Mail Nov 13 '18 at 19:20
-
pagination, AFIK. 1,000 entries? Sounds like a client set limitation. MaxValRange defaults to 1,500 for 2003-2008 and 2008 R2+ is fixed at 1,500. – jwilleke Nov 14 '18 at 16:31