1
votes

I am trying to get all the users and their associated groups from an Active Directory server, using a LDAP query. Apparently, Active Directory doesn't give me the primary group of the users. For example, this search:

(objectclass=user)

produces this result:

# Test User, Users, sub.domain.net
dn: CN=Test User,CN=Users,DC=sub,DC=domain,DC=net
....
memberOf: CN=Domain Admins,CN=Users,DC=sub,DC=domain,DC=net
memberOf: CN=Administrators,CN=Builtin,DC=sub,DC=domain,DC=net
....
primaryGroupID: 515
....

The primary group for this user is Test Group (I know this because I created this user/group pair) so let's take a look at that one:

# Test Group, Users, sub.domain.net
dn: CN=Test Group,CN=Users,DC=sub,DC=domain,DC=net
objectClass: top
objectClass: group
cn: Test Group
distinguishedName: CN=Test Group,CN=Users,DC=sub,DC=domain,DC=net
instanceType: 4
whenCreated: 20101014151945.0Z
whenChanged: 20101015141656.0Z
uSNCreated: 41007
uSNChanged: 41133
name: Test Group
objectGUID:: aQH58S0MWU2Fu/Cli72u0A==
objectSid:: AQUAAAAAAAUVAAAAIzgCYuz3AhjZk27UXgQAAA==
sAMAccountName: Test Group
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=sub,DC=domain,DC=net
dSCorePropagationData: 16010101000000.0Z

How am I supposed to associate the users with their primary groups? All I get when I list a user's properties is a primaryGroupID property, but its value is nowhere to be found in the whole LDAP database (objectclass=*).

2
How are you accessing / reading Active Directory?? What programming or script language are you using?? Lots of these things are very specific to your dev environment.....marc_s
@marc_s I am using PHP and the examples given above are from the output of ldapsearchTom
@Tom: ok, thanks - I'm not a PHP expert, and all my code I would have at hand would be .NET (C#) - so I'm afraid can't really help you here...marc_s
@marc_s Does it really matter? I need help with LDAP queries.Tom
@Tom: yes, I believe it does - this is not a simple LDAP query.... see this solution here: dunnry.com/blog/…marc_s

2 Answers

1
votes

It's the wrong language, but this KB article specifically talks about using the primarygroupID attribute to find the SID for the primary group:

How to use the PrimaryGroupID attribute to find the primary group for a user

You may be able to use that as a starting point in your own code.

0
votes

This (vbscript) example on how to set a users primary group may give you some conclusion:

oGroup.GetInfoEx Array("primaryGroupToken"), 0
oUser.PrimaryGroupID = oGroup.PrimaryGroupToken
oUser.SetInfo

As you see, you have to match the PrimaryGroupID property of the user to the PrimaryGroupToken property of the group (&(objectclass=group)(PrimaryGroupToken=UsersPrimaryGroupID)) or similar.