LDAP Query the global catalog

Question

I'm trying to make an LDAP query for get all the user member of a group. The problem is that this group is populated with user from multiple AD domains and I've to get all the members user with a singe query.

According to this page I can reach my goal by querying the Global Catalog.

ldapsearch -x -W -H "ldap://mydomain.local:3268" -D "CN=myuser,OU=Applicative Users,OU=Users,OU=myou,DC=mydomain,DC=local" -b " "  '(&(objectclass=user)(memberof=CN=mygroup,OU=Groups,OU=myou,DC=mydomain,DC=local))

This query return only the users member of "mygroup" that resides on the domain "mydomain"

No info are retrieved for the users that come from trusted domains.

How can I do that?

Check out the last paragraph of the technet.microsoft.com/en-us/library/cc978012.aspx and see if your query fits the conditions. And does myuser have rights in other domains? — jwilleke

Brian Desmond Brian Desmond · Accepted Answer · 2015-12-02T17:16:22

The global catalog only stores group memberships for universal groups. You also won't get transitive (e.g. nested) group memberships with this query. You can use the LDAP in-chain matching operator if you need to get these also.

LDAP Query the global catalog

1 Answers