-1

I am trying to retrieve all AD-GROUP Names using python from LDAP. using "ldap3" python library.

I failed to find a way to get through using python. Can you please let me know if you guys have any idea to get it.

I am can retrieve ALL available AD-GROUPS using a "power shell" with a simple command. and saving to file.

Powershell code is:

$op = @()

#This below line doing everything I need.
$ADGROUPS = GET-ADGroup -Filter *

#Then filtering what I need.
foreach($grp in $ADGROUPS)
{
    $g = "" | Select "name", "dn", "member"
        $g.name = $grp.name
        $g.dn = $grp.distinguishedName
        $g.member = $grp.member

    $op += $g
}

# Saving to csv file.
$op | Export-Csv "groups.csv"

I need the same thing in python.

To retrieve in python for other things, I am using this flow. But to fetch groups I am not getting it.

from ldap3 import Server, Connection, ALL
ldap_conn = Connection(server, ... bla bla)
ldap_conn.search(
    search_base=my_dn,
    search_filter= '(????)', # required
    search_scope=ldap3.SUBTREE,
    attributes='*'
)

Can someone help me in it or a similar one to find all AD-GROUP names?

Hara
  • 1,467
  • 4
  • 18
  • 35
  • 1
    I know this doesn't help you much but here's a Powershell code easier to read `Get-ADGroup -Filter * | select Name, @{n = "dn";Value = {$_.distinguishedName}}, Member | Export-Csv .\csv.csv` – Roque Sosa Apr 07 '20 at 14:12
  • `-Filter *` never do this. – Maximilian Burszley Apr 07 '20 at 14:17
  • 1
    LDAP Search: objectClass=group – thepip3r Apr 07 '20 at 14:38
  • I am not sure why is the negative vote? – Hara Apr 07 '20 at 15:00
  • As far as the downvote, it's probably, because you are asking a Python question on a PowerShell Q&A site. 'I need the same thing in python.' So, you are asking PowerShell folks to help you convert a PowerShell script Python. Why go through the covert at all, just to a search for 'python list active directory group names'. Using Python with ADDS is a common thing. YOu can't get members, without getting the group name first. So, the same code, but only output the name. – postanote Apr 07 '20 at 16:50
  • One of the first hits via the above search string ins 'How to list Active Directory groups with Python' https://www.accadius.com/list-active-directory-groups-python – postanote Apr 07 '20 at 16:50
  • sure. I removed PowerShell tag. thanks. – Hara Apr 07 '20 at 17:08
  • No worries and btw, that downvote was not me. – postanote Apr 07 '20 at 17:24
  • 1
    _filter = '(&(objectClass=group))' this filter is working for me. I could retrieve all groups. @thepip3r thank you! – Hara Apr 07 '20 at 17:56

1 Answers1

0

You can likely start with a filter of:

'(objectClass=group)'

But you may also want to do additional filtering based on the type of group. eg.

'(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=8))'

should get you all Universal groups. You may need to check against other bits if you, for example, wanted to include or exclude security groups. Take a look for sites that break down the bit field of attributes like groupType to see if you can filter for what you need. For example, this site:

https://ldapwiki.com/wiki/GroupType

Adam Benjamin
  • 61
  • 7