H
home
How do i search active directory for user accounts which are members of
certain security groups?
certain security groups?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
R
Richard Mueller
How do i search active directory for user accounts which are members of
certain security groups?
In ADUC Filter Options (Advanced) or in a script using ADO, you can use:
(memberOf=cn=MyGroup,ou=Sales,dc=MyDomain,dc=com)
This will filter on members of the group cn=MyGroup. You must specify the
full Distinguished Name of the group. To get all users that are not members
of this group, use:
(!memberOf=cn=MyGroup,ou=Sales,dc=MyDomain,dc=com)
Clauses like this can be combined for more complex queries, using & (the And
operator) and | (the Or operator), as well as ! (the Not operator). For
example, to retrieve users that are members of either cn=Group1 or
cn=Group2, use (watch line wrapping, this is one line):
(|(memberOf=Group1,ou=Sales,dc=MyDomain,dc=com)(memberOf=cn=Group2,ou=West,dc=MyDomain,dc=com))
For more on using ADO in VBScript programs to retrieve information, see this
link:
http://www.rlmueller.net/ADOSearchTips.htm
J
Joe Richards [MVP]
Look at the member attribute of the group in question.
adfind -b dc=domain,dc=com -f name=groupname member
if you have a single domain, you can simplify this to be
adfind -default -f name=groupname member
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
adfind -b dc=domain,dc=com -f name=groupname member
if you have a single domain, you can simplify this to be
adfind -default -f name=groupname member
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
H
home
i tried the below but it still shows me users who are members of the
group i specified NOT to find.
(!memberOf=cn=MyGroup,ou=Sales,dc=MyDomain,dc=com)
group i specified NOT to find.
(!memberOf=cn=MyGroup,ou=Sales,dc=MyDomain,dc=com)
R
Richard Mueller
i tried the below but it still shows me users who are members of the
I tested the filter before suggesting it in my posting, and again just now.
However, the memberOf attribute never includes the "primary" group. If a
user has the group "Domain Users" designated as their "primary" group, and
you filter on all users that are not members of "Domain Users", you will
still see the user. You can view the memberOf attribute of the user with a
tool like ADSI Edit and see that their "primary" group is not among the
group DN's included. Hopefully, this explains what you see.
Hi,group i specified NOT to find.
(!memberOf=cn=MyGroup,ou=Sales,dc=MyDomain,dc=com)
I tested the filter before suggesting it in my posting, and again just now.
However, the memberOf attribute never includes the "primary" group. If a
user has the group "Domain Users" designated as their "primary" group, and
you filter on all users that are not members of "Domain Users", you will
still see the user. You can view the memberOf attribute of the user with a
tool like ADSI Edit and see that their "primary" group is not among the
group DN's included. Hopefully, this explains what you see.
J
Joe Richards [MVP]
Ok sorry, I am confused, your subject says one thing and your post said
another.
If you want users who are direct members of a group, then you want to
look at the member attribute of the group.
If you want users who are NOT direct members of a group, then you do as
Richard indicated and do a NOT (!) of the memberof attribute of the users.
Now there are a couple of things that can impact this.
As Richard mentioned, there is primary group. Primary group membership
is not handled in the way other group membership is handled.
The other possible issue is group nesting, if a group has nested
membership, the only way to figure out what is going on is to either use
tokengroups (which can't be searched against) but will allow you to get
all local domain group memberships for a given user in one call or you
get to chase nesting with recursion.
Finally, if you have multiple domains this gets even more confusing
because you can't easily use memberof to figure anything out when the
group exists in one domain and the users exist in another.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
another.
If you want users who are direct members of a group, then you want to
look at the member attribute of the group.
If you want users who are NOT direct members of a group, then you do as
Richard indicated and do a NOT (!) of the memberof attribute of the users.
Now there are a couple of things that can impact this.
As Richard mentioned, there is primary group. Primary group membership
is not handled in the way other group membership is handled.
The other possible issue is group nesting, if a group has nested
membership, the only way to figure out what is going on is to either use
tokengroups (which can't be searched against) but will allow you to get
all local domain group memberships for a given user in one call or you
get to chase nesting with recursion.
Finally, if you have multiple domains this gets even more confusing
because you can't easily use memberof to figure anything out when the
group exists in one domain and the users exist in another.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm