Yes, you can definately use LDAP to retrieve the membership of a group in
Active Directory. In Active Directory, each group object has an attribute
called "member". This is a multivalued attribute, where each value is the
distinguished name of a member of the group. This attribute only lists
those who are directly members of the group, not those who are members of
the group by virtue of belonging to some other group that happens to be a
member of the first group. In other words, if you have a group G1 with two
members, a user U1 and a group G2, then the member attribute for G1 will
list U1 and G2, but will not include those who are just members of G2. If
you want to do a recursive group membership expansion, you'll have to write
the code to do so.
There's a lot of information about groups in Active Directory located at
http://msdn.microsoft.com/library/en-us/ad/ad/managing_groups.asp?frame=true.
There's a code example of enumerating group membership at
http://msdn.microsoft.com/library/e..._displaying_members_of_a_group.asp?frame=true.
That example uses the ADSI API. If you prefer to use the LDAP C API
(wldap32.dll), see
http://msdn.microsoft.com/library/en-us/ldap/ldap/searching_using_range_retrieval.asp?frame=true.
That example also makes use of a technique called range retrieval, which is
used in Active Directory when retrieving the membership of a large group.
For more about range retrieval, please see
http://msdn.microsoft.com/library/e...oups_that_contain_many_members.asp?frame=true
and
http://msdn.microsoft.com/library/en-us/adsi/adsi/attribute_range_retrieval.asp?frame=true.
- Matthew Rimer [MSFT]
