LDAP group membership (including Domain Users)

DougN picture DougN · Dec 14, 2010 · Viewed 27k times · Source

How can I get a list of users within an LDAP group, even if that group happens to be the primary group for some users?

For example, suppose "Domain Users" is "Domain Leute" in German. I want all members of "CN=Domain Leute,DC=mycompany,DC=com". How would I know that is the well-known "Domain Users" group?

Or what if some users' primary group was changed to "CN=rebels,DC=mycompany,DC=com", and I wanted to get members of THAT group? Users don't have a memberOf property for their primary group, and the primary group won't have a member property listing them.

This is what I see when viewed via LDAP (ie, no MS extensions): alt text

Answer

Raymund picture Raymund · Dec 16, 2010

To get the the primaryGroupToken from any given group extract it from the objectSid so for example Domain Users objectSid = S-1-5-21-704657944-2065781323-617630493-513 then the primaryGroupToken is the last digits after the "-" so in the case of the "Domain Users" its 513