2
votes

'memberof' is the attribute on the Active Directory user account which describes user's group membership detail. If we use .Net or Java to get the users detail then we get the 'memberof' attribute value in terms of 'Distinguished Name' of the groups of which user is member of. So is there any way to get these group names in terms of objectGUID either in JAVA or .NET ?

1

1 Answers

4
votes

You can make use of the "Extended DN" LDAP extended control. It can be used only in AD search.

C# code:

// Here I get the user object and then do a AD search.
// Instead, you may search for that user object directly.
DirectoryEntry userEntry = new DirectoryEntry("LDAP://<server>/<user DN>", "user", "pwd");

DirectorySearcher searcher = new DirectorySearcher(userEntry);
searcher.SearchScope = SearchScope.Base;
searcher.ExtendedDN = ExtendedDN.Standard;
searcher.PropertiesToLoad.Clear();
searcher.PropertiesToLoad.Add("memberOf");

SearchResult result = searcher.FindOne();

foreach (string val in result.Properties["memberOf"])
{
    Console.WriteLine(val);
}

Depending on the value passed to ExtendedDN, it will return the value

<GUID=guid_value>;<SID=sid_value>;dn
  • ExtendedDN.None (only DN, this is the default):
    CN=Administrator, CN=Users,DC=Fabrikam,DC=com

  • ExtendedDN.Standard (Standard string format):
    <GUID=bdbfd4b3-453c-42ee-98e2-7b4a698a61b8>;<SID=S-1-5-21-2354834273-1534127952-2340477679-500>;CN=Administrator, CN=Users,DC=Fabrikam,DC=com

  • ExtendedDN.HexString (Hexadecimal format):
    <GUID=b3d4bfbd3c45ee4298e27b4a698a61b8>;<SID=01050000000000051500000061eb5b8c50ef705befda808bf4010000>;CN=Administrator, CN=Users,DC=Fabrikam,DC=com

If the object don't have SID, the SID part will be omitted:

<GUID=guid_value>;dn

For details about Extended DN, please check:

http://msdn.microsoft.com/en-us/library/cc223349.aspx