开发者

LDAP: How to get all users and groups from Active Directory

I am trying to get all the users and their associated groups from an Active Directory server, using a LDAP query. Apparently, Active Directory doesn't give me the primary group of the users. For example, this search:

(objectclass=user)

produces this result:

# Test User, Users, sub.domain.net
dn: CN=Test User,CN=Users,DC=sub,DC=domain,DC=net
....
memberOf: CN=Domain Admins,CN=Users,DC=sub,DC=domain,DC=net
memberOf: CN=Administrators,CN=Builtin,DC=sub,DC=domain,DC=net
....
primaryGroupID: 515
....

The primary group for this user is Test Group (I know this because I created this user/group pair) so let's take a look at that one:

# Test Group, Users, sub.domain.net
dn: CN=Test Group,CN=Users,DC=sub,DC=domain,DC=net
objectClass: top
objectClass: group
cn: Test Group
distinguishedName: CN=Test Group,CN=Users,DC=sub,DC=domain,DC=net
instanceType: 4
whenCreated: 20101014151945.0Z
whenChanged: 20101015141656.0Z
uSNCreated: 41007
uSNChanged: 41133
name: Test Group
objectGUID:: aQH58S0MWU2Fu/Cli72u0A==
objectSid:: AQUAAAAAAAUVAAAAIzgCYuz3AhjZk27UXgQAAA==
sAMAccountName: Test Group
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=sub,DC=domain,DC=net
dSCorePropagationData: 16010101000000.0Z

How am I supposed to as开发者_Go百科sociate the users with their primary groups? All I get when I list a user's properties is a primaryGroupID property, but its value is nowhere to be found in the whole LDAP database (objectclass=*).


It's the wrong language, but this KB article specifically talks about using the primarygroupID attribute to find the SID for the primary group:

How to use the PrimaryGroupID attribute to find the primary group for a user

You may be able to use that as a starting point in your own code.


This (vbscript) example on how to set a users primary group may give you some conclusion:

oGroup.GetInfoEx Array("primaryGroupToken"), 0
oUser.PrimaryGroupID = oGroup.PrimaryGroupToken
oUser.SetInfo

As you see, you have to match the PrimaryGroupID property of the user to the PrimaryGroupToken property of the group (&(objectclass=group)(PrimaryGroupToken=UsersPrimaryGroupID)) or similar.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜