0

I am in an organization with an Active Directory with a very deep nested group structure. I would like to query the directory to recursively find user members of a group from a Linux machine. On a Windows machine,

dsget group "dn_of_group" -members -expand

does exactly what I want and does it very quickly. When I tried to get the same results via LDAP with

(memberOf:1.2.840.113556.1.4.1941:=dn_of_group)

the query takes almost a minute to run. Does dsget use LDAP under the hood or does it use some other means to query the directory? And if so, is there any way for me to also use that?

Edit: Clarified that I need the members which are users.

Jeff Mc
  • 3,723
  • 1
  • 22
  • 27

1 Answers1

0

The framework 3.5 with System.DirectoryServices.AccountManagement Namespace provides a method that searches all groups recursively and returns the groups in which the user is a member. The returned set may also include additional groups that system would consider the user a member of for authorization purposes.

UserPrincipal.GetAuthorizationGroups()

The groups that are returned by this method may include groups from a different scope and store than the principal. For example, if the principal is an AD DS object that has a DN of "CN=SpecialGroups,DC=Fabrikam,DC=com, the returned set can contain groups that belong to the "CN=NormalGroups,DC=Fabrikam,DC=com

In the other direction you've got :

GroupPrincipal.GetMembers(bool recursive)

See Remarks

JPBlanc
  • 70,406
  • 17
  • 130
  • 175
  • I need to go the other direction. I.e. find all the user members of a specified group, not find all the groups a specified user is a member of. – Jeff Mc Jan 18 '12 at 21:23