[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Getting the list of members in an AD group

To: Sankar P <sankar.curiosity@gmail.com>, Mark PrÃhl <mark@mproehl.net>
Subject: RE: Getting the list of members in an AD group
From: Jon C Kidder <jckidder@aep.com>
Date: Fri, 11 Apr 2014 13:41:30 +0000
Accept-language: en-US
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-language: en-US
In-reply-to: <CAMSEaH5JMiEMrGD2Z3ihNJNJKUEHa4T7tN=eh+Oy-q9XncU7XQ@mail.gmail.com>
References: <CAMSEaH5WjPcQSP=N018iPze+EE4b-VMAiLsX92fxFk7Agr6-rg@mail.gmail.com> <20140407135527.GB6184@dan.olp.net> <5342CFC9.5070607@mproehl.net> <CAMSEaH6CGLPxKmkJkH881io2DSSS_MXkF9mLgvEXVg3SdSujyg@mail.gmail.com> <53463DCF.3000900@mproehl.net> <CAMSEaH5BwOyAA260Y3LLwHyupbTW-6hVwa10turwgbmZNoAJUQ@mail.gmail.com> <CAMSEaH5JMiEMrGD2Z3ihNJNJKUEHa4T7tN=eh+Oy-q9XncU7XQ@mail.gmail.com>
Thread-index: AQHPUidF/HG6jcfHPkuQ9MNgS78GkJsGcM6AgAAn6YCAA/szgIAAG3yAgABEswCAAUN/AIAAOIow
Thread-topic: Getting the list of members in an AD group

When retrieving large group memberships from AD you must use Microsoft's implementation of ranging.  When the group membership exceeds the limit established in the domain controller (usually 1500 users) AD returns an empty result set in the member attribute and then adds a new attribute containing a partial result set.  You must then submit multiple subsequent searches renaming this new attribute each time to retrieve the remainder of the result set.  You can google on AD and ranging for more details.  There are ways to disable this in AD as well but most AD administrators will refuse to do it.

-Jon C. Kidder
American Electric Power
Middleware Services
Email: jckidder@aep.com
Phone: 614-716-4970

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Sankar P
Sent: Friday, April 11, 2014 2:08 AM
To: Mark PrÃhl
Cc: openldap-technical@openldap.org
Subject: Re: Getting the list of members in an AD group

 This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments.

**********************************************************************
The group whose SID that I am trying to take is the default "Domain Users" group. The ldapsearch query too fails for that but for any other custom groups, the membership information is printed. So is there a different style that we should follow for getting the "Domain Users" group members ?


2014-04-10 16:20 GMT+05:30 Sankar P <sankar.curiosity@gmail.com>:
>> ldapsearch -H ldap://your_dc.example.com \
>>      -b '<sid=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX>' \
>>      -s base \
>>      '(objectClass=*)' member
>>
>
> oh okay. Thanks for your explanation.
>
> I changed my code to:
>
> struct timeval timeout = {10,0};
> char *attr_list[] = {"member", NULL};
> LDAPMessage *searchresult = NULL;
>
> gch = get_gch_from_queue();
> sts = ldap_search_ext_s(gch->ld, "<sid=S-...>", LDAP_SCOPE_BASE, 
> "(objectClass=*)", attr_list, 0, NULL, NULL, &timeout, LDAP_NO_LIMIT, 
> &searchresult);
>
> and this returns a status of LDAP_UNWILLING_TO_PERFORM
>
> What am I doing wrong ?
>
> --
> Sankar P
> http://psankar.blogspot.com



--
Sankar P
http://psankar.blogspot.com

References:
- Getting the list of members in an AD group
  - From: Sankar P <sankar.curiosity@gmail.com>
- Re: Getting the list of members in an AD group
  - From: Dan White <dwhite@olp.net>
- Re: Getting the list of members in an AD group
  - From: Mark Pröhl <mark@mproehl.net>
- Re: Getting the list of members in an AD group
  - From: Sankar P <sankar.curiosity@gmail.com>
- Re: Getting the list of members in an AD group
  - From: Mark PrÃhl <mark@mproehl.net>
- Re: Getting the list of members in an AD group
  - From: Sankar P <sankar.curiosity@gmail.com>
- Re: Getting the list of members in an AD group
  - From: Sankar P <sankar.curiosity@gmail.com>

Prev by Date: Re: Problems with slapo-rwm
Next by Date: Re: Getting the list of members in an AD group
Index(es):
- Chronological
- Thread