Get active directory groups for a specific user, nested using LDAP

Question

I'm new to this way of making queries against ldap.I'm stuck on using the LDAP_MATCHING_RULE_IN_CHAIN ("member:1.2.840.113556.1.4.1941:=....

I have searched for information, I'm getting confused on how to use it.

I have a VB snippet where I'm trying to fetch all the groups a user is member of, direct or indirect. I get an empty result back.

I have some things I'm uncertain about,

I have set the base to the root of AD, is that correct?
Do I need to specify ObjectCategory and objectClass at all to get an result or are they "just" used to narrow the result set once something is returned?
In the LDAP_MATCHING_RULE_IN_CHAIN ("memberOf:1.2.840.113556.1.4.1941:= I have various different suggestions to add a reference to a group, but the point here is to get a list of groups back, do I need to specify any ref. to a group to make this filter work?

I'm searching for a user "AD User" that's the CN in AD, I've tried other users with same result (nothing)

Does anyone see what I'm doing wrong here?

    Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click

        Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
        Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strName, strCN

        ' Setup ADO objects.
        adoCommand = CreateObject("ADODB.Command")
        adoConnection = CreateObject("ADODB.Connection")
        adoConnection.Provider = "ADsDSOObject"
        adoConnection.Open("Active Directory Provider")
        adoCommand.ActiveConnection = adoConnection

        ' Search entire Active Directory domain.
        objRootDSE = GetObject("LDAP://RootDSE")

        strDNSDomain = objRootDSE.Get("defaultNamingContext")
        strBase = "<LDAP://" & strDNSDomain & ">"

        ' Filter on user objects.
        'strFilter = "(&(objectCategory=Person)(objectClass=user)"

        strFilter = "(&(objectCategory=Group)"
        strFilter = strFilter & "(member:1.2.840.113556.1.4.1941:=(CN=AD User,DC=hnitservice,DC=local)))"

        ' Comma delimited list of attribute values to retrieve.
        strAttributes = "sAMAccountName,cn"

        ' Construct the LDAP syntax query.
        strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
        adoCommand.CommandText = strQuery
        adoCommand.Properties("Page Size") = 100
        adoCommand.Properties("Timeout") = 30
        adoCommand.Properties("Cache Results") = False

        ' Run the query.
        adoRecordset = adoCommand.Execute

        ' Enumerate the resulting recordset.
        Do Until adoRecordset.EOF
            ' Retrieve values and display.
            strName = adoRecordset.Fields("sAMAccountName").Value
            strCN = adoRecordset.Fields("cn").value
            '    Wscript.Echo "NT Name: " & strName & ", Common Name: " & strCN
            ' Move to the next record in the recordset.
            adoRecordset.MoveNext
        Loop

        ' Clean up.
        adoRecordset.Close
        adoConnection.Close

    End Sub

Since your Title says: "Get active directory groups for a specific user, nested using LDAP", it appears your query is fine. However, your results will be the GROUPS the user is a member. Then you say: "I'm searching for a user "AD User" that's the CN in AD, I've tried other users with same result " Are you searching for the Group or the user? — jwilleke
I'm searching for groups the user is a member of. AD User is the name of the user for which I'm looking for groups. So I need to put in a user name and get out a list of groups. — hhaumann

jwilleke jwilleke · Accepted Answer · 2017-11-30T14:17:27

All Groups a User is a member of including Nested Groups#

This Extensible Match Rule is often referred to as LDAP_MATCHING_RULE_IN_CHAIN

As an example, to find all the groups that "CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter.

(member:1.2.840.113556.1.4.1941:=(CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET))

Will return all of the Groups the user is a member including nested groups.

I am sorry, I can not help with vb.net but you may need to be certain you are following referrals and that your baseDN is appropriate.

This is not helpful:

 ' Filter on user objects.
        'strFilter = "(&(objectCategory=Person)(objectClass=user)"

As you want to return groups.

I always recommend you perform your Queries with a "known" good utility and make sure the Query works. (I like Apache Studio)

Get active directory groups for a specific user, nested using LDAP

1 Answers