topic Re: LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)? in All Apps and Add-ons

LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)?

jdunlea — Tue, 13 Jan 2015 19:09:44 GMT

How do I run a search using ldapsearch which shows all members of a group, along with each member's sAMAccountName?

Currently, using LDAPGROUP (as shown below), we are only able to receive the basic CN for each member. However, I want to see the sAMAccount name for each user.

Anybody know how?

Search:

| ldapsearch domain="default" search="(&(objectClass=group)(cn=my_group))" | ldapgroup

Results show members of the group as follows:

CN=Doe John,OU=MyGroups,OU=Americas,OU=company,DC=ad,DC=company,DC=net

I need to see a field for sAMAccountName also, for example:

DoeJo

Or something similar to that sAMAccountName.

Anyone got any ideas?!

Re: LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)?

acharlieh — Tue, 13 Jan 2015 19:51:55 GMT

I'll admit I haven't used SA-ldapsearch yet, but according to its docs at least the sAMAccountName should be the member_name field in the output of the ldapgroup command?

Re: LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)?

mbenwell — Tue, 13 Jan 2015 23:44:06 GMT

A few ways I could think of doing it.

If you have the commonname of the group:

| ldapsearch domain="<domain>" search=(&(objectClass=group)(cn=<groupCommonName>)) attrs="member"
| mvexpand member
| ldapfilter domain="<domain>" search=(&(objectClass=user)(distinguishedName="$member$")) attrs="sAMAccountName"

The easiest but least efficient way if you have the distinguished name for the group (Warning, this may cause excessive load on AD, Thanks Andy!):

| ldapsearch domain="<domain>" search=(&(objectClass=user)(memberOf="<GroupDN>")) attrs=sAMAccountName

Re: LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)?

malmoore — Wed, 14 Jan 2015 20:44:26 GMT

Hi,

We helped user jdunlea fix his problem.

It turns out that, in his example, the group he was referencing was in a parent domain and the users were in child domains. This was confusing SA-LDAPsearch because while it does follow referrals, it does not follow continuation referrals (referrals where AD says the member data is on another server.)

The way to fix the problem is to have SA-LDAPsearch use the global catalog port (port 3268/3269). Once he queried on that port, the member data populated as desired.

I will be adding this note to a "best practices" page in the documentation.

Re: LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)?

AndySplunks — Thu, 17 Mar 2016 15:03:21 GMT

I'd recommend against using memberOf for your search. You'll be pulling every account on your domain and churning through the group memberships. You're basically pulling every single account on your domain. The Active Directory team at your site will likely be extremely upset.

That second search seems to be preferred by the Active Directory admins I've talked to.

Re: LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)?

mbenwell — Thu, 17 Mar 2016 21:39:03 GMT

Thanks for that Andy! I've edited my answer.

Re: LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)?

cblanton — Wed, 30 Sep 2020 00:07:40 GMT

| ldapsearch domain="default" search="(&(objectClass=group)(cn=my_group))"
| ldapgroup
| table cn,member_dn,member_type,member_name