All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ldapsearch missing "Domain Users" security group from returned list

LexSplunker
Engager
‎05-13-2025 06:20 AM

I have taken a rather long query and condensed it down to the following to remove any possibility that something was possibly filtering it out.

 

| ldapsearch search="(&(cn=*userhere*))"

 

That will output all of the available data for the user including memberOf. memberOf skips "Domain Users" but seems to display every other group.

I am currently running 3.0.8 of Splunk Supporting Add-on for Active Directory. Release notes do not mention this issue, no one seems to be reporting this issue but I have confirmed it happening on two completely independent instances. Both were 3.0.8.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sainag_splunk
Splunk Employee
Splunk Employee
‎05-13-2025 11:29 AM

Thanks for your feedback.  Based on what I  know, this seems to be normal behavior for AD, not an issue with the add-on. If you are having trouble please  consider working with splunk support or ods who has expertise on the AD integration.




If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

LexSplunker
Engager
‎05-13-2025 10:42 AM

The reason for using this is to be able to create a list of all groups a user is in.

That above query will evaluate and memberOf still does not show "Domain Users" but shows every other group. The documentation makes no mention that the primary group ID will not show up, unfortunately the network I am currently on I am unable to add a test user and assign the primary group to something else and remove them from Domain Users but I can't see how it would be normal functionality to exclude the primary group the user is a member of.

 

I have just never in my career seen something that could list group memberships and would intentionally skip the primary group, or "Domain Users" whichever is true in this scenario.

 

I tested with Domain Computers as well and had the same results. It still seems weird.

0 Karma
Reply
Solved! Jump to solution
Solution

sainag_splunk
Splunk Employee
Splunk Employee
‎05-13-2025 11:29 AM

Thanks for your feedback.  Based on what I  know, this seems to be normal behavior for AD, not an issue with the add-on. If you are having trouble please  consider working with splunk support or ods who has expertise on the AD integration.




If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
0 Karma
Reply
Solved! Jump to solution

LexSplunker
Engager
‎05-14-2025 07:15 AM

Hello!

You are correct. I had to dig into it and found out that the primaryGroupID is considered an "implicit membership." It is uncommon to change but Guest is 514, as an example. The issue happens with the Guest user account as well since it is (traditionally) only a member of the security group called Domain Guests.

I was able to confirm this using the Windows LDP tool. Apparently, I just never had to use LDAP to actually query for all memberships in the past, it was always using third-party tools which would include even the "implicit" memberships.

0 Karma
Reply
Solved! Jump to solution

sainag_splunk
Splunk Employee
Splunk Employee
‎05-13-2025 10:16 AM

@LexSplunker  I think thats normal behavior not an add-on issue?. did you already try  something like this ? I always specify the attributes I need because of the  special handling and performance.

 

 
| ldapsearch search="(&(cn=*userhere*))" attrs="cn,memberOf,primaryGroupID" | eval primaryGroupName=if(primaryGroupID="513","Domain Users","Other Primary Group")


refer: https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.2/User/UseSA-ldapsearchtotroubleshootproblem...



If this reply Helps, Please Upvote.


If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...