Share via

LDAP query to get all group members

a1 26 Reputation points
2023-07-16T16:44:58.5833333+00:00

Hey,

Which LDAP query do I need to use in order to get all members(objectsGUID) of a group(By DN), including cross domain membership (At least on the same forest) ?

I don't have a GC in my organization.

Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,245 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Wesley Li-MSFT 4,401 Reputation points Microsoft Vendor
    2023-07-17T06:15:17.02+00:00

    Hello

    To get all members of a group, including cross-domain membership within the same forest, you can use an LDAP query with the memberOf attribute. The memberOf attribute in Active Directory is stored as a list of distinguished names. Your filter should look something like this:

    (& (objectCategory=user) (memberOf=cn=GroupName,ou=ouOfGroup,dc=subdomain,dc=domain,dc=com))

    Replace GroupName, ouOfGroup, subdomain, domain, and com with the appropriate values for your environment.

    If you don’t have a Global Catalog (GC) in your organization, you may not be able to get results from all subdomains with one query.

    I hope this information helps you construct the LDAP query you need.

  2. a1 26 Reputation points
    2023-07-23T11:57:33.9566667+00:00

    Hey

    I tried this approach,

    It does give me group members but only in queried domain. group members from other domains within the forest doesn't appear (even with chase referrals on)

    I don't use the member attribute of group because it gives me only the DN of the members, and I need GUID of the group members and the type of the group member.

    What should I do?

    Thanks.