LDAP group membership (including Domain Users)

active-directory ldap member adsi ldap-query
DougN picture DougN · Dec 14, 2010 · Viewed 27k times · Source

How can I get a list of users within an LDAP group, even if that group happens to be the primary group for some users?

For example, suppose "Domain Users" is "Domain Leute" in German. I want all members of "CN=Domain Leute,DC=mycompany,DC=com". How would I know that is the well-known "Domain Users" group?

Or what if some users' primary group was changed to "CN=rebels,DC=mycompany,DC=com", and I wanted to get members of THAT group? Users don't have a memberOf property for their primary group, and the primary group won't have a member property listing them.

This is what I see when viewed via LDAP (ie, no MS extensions): alt text

Answer

Raymund picture Raymund · Dec 16, 2010

To get the the primaryGroupToken from any given group extract it from the objectSid so for example Domain Users objectSid = S-1-5-21-704657944-2065781323-617630493-513 then the primaryGroupToken is the last digits after the "-" so in the case of the "Domain Users" its 513

Related questions

What are the differences between LDAP and Active Directory?

What are the differences between LDAP and Active Directory?

Read More
What are CN, OU, DC in an LDAP search?

I have a search query in LDAP like this. What exactly does this query mean? ("CN=Dev-India,OU=Distribution Groups,DC=gp,DC=gl,DC=google,DC=com");

Read More
Query to list all users of a certain group

How can I use a a search filter to display users of a specific group? I've tried the following: (& (objectCategory=user) (memberOf=MyCustomGroup) ) and this: (& (objectCategory=user) (memberOf=cn=SingleSignOn,ou=Groups,dc=tis,dc=eg,dc=ddd,…

Read More