How do I run a search using ldapsearch which shows all members of a group, along with each member's sAMAccountName?
Currently, using LDAPGROUP (as shown below), we are only able to receive the basic CN for each member. However, I want to see the sAMAccount name for each user.
Anybody know how?
Search:
| ldapsearch domain="default" search="(&(objectClass=group)(cn=my_group))" | ldapgroup
Results show members of the group as follows:
CN=Doe John,OU=MyGroups,OU=Americas,OU=company,DC=ad,DC=company,DC=net
I need to see a field for sAMAccountName also, for example:
DoeJo
Or something similar to that sAMAccountName.
Anyone got any ideas?!
Hi,
We helped user jdunlea fix his problem.
It turns out that, in his example, the group he was referencing was in a parent domain and the users were in child domains. This was confusing SA-LDAPsearch because while it does follow referrals, it does not follow continuation referrals (referrals where AD says the member data is on another server.)
The way to fix the problem is to have SA-LDAPsearch use the global catalog port (port 3268/3269). Once he queried on that port, the member data populated as desired.
I will be adding this note to a "best practices" page in the documentation.
| ldapsearch domain="default" search="(&(objectClass=group)(cn=my_group))"
| ldapgroup
| table cn,member_dn,member_type,member_name
Hi,
We helped user jdunlea fix his problem.
It turns out that, in his example, the group he was referencing was in a parent domain and the users were in child domains. This was confusing SA-LDAPsearch because while it does follow referrals, it does not follow continuation referrals (referrals where AD says the member data is on another server.)
The way to fix the problem is to have SA-LDAPsearch use the global catalog port (port 3268/3269). Once he queried on that port, the member data populated as desired.
I will be adding this note to a "best practices" page in the documentation.
A few ways I could think of doing it.
If you have the commonname of the group:
| ldapsearch domain="<domain>" search=(&(objectClass=group)(cn=<groupCommonName>)) attrs="member"
| mvexpand member
| ldapfilter domain="<domain>" search=(&(objectClass=user)(distinguishedName="$member$")) attrs="sAMAccountName"
The easiest but least efficient way if you have the distinguished name for the group (Warning, this may cause excessive load on AD, Thanks Andy!):
| ldapsearch domain="<domain>" search=(&(objectClass=user)(memberOf="<GroupDN>")) attrs=sAMAccountName
I'd recommend against using memberOf for your search. You'll be pulling every account on your domain and churning through the group memberships. You're basically pulling every single account on your domain. The Active Directory team at your site will likely be extremely upset.
That second search seems to be preferred by the Active Directory admins I've talked to.
Thanks for that Andy! I've edited my answer.
I'll admit I haven't used SA-ldapsearch yet, but according to its docs at least the sAMAccountName should be the member_name field in the output of the ldapgroup command?