Can I use the Splunk Supporting Add-on for Active ...

danielansell · ‎09-19-2018

I have seen how the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) can give me a list of all groups, and enumerate their membership, to include both nested and direct membership. I have also seen how I can retrieve all users, and the groups which they are a member of.

Does anyone have a search where I can search Active Directory with SA-ldapsearch, specify a user, and enumerate all group membership, to include any inherited groups?

I believe I had some success achieving this with the data from Active Directory monitoring - however, I'd prefer to use SA-ldapsearch for this.

worshamn · ‎07-28-2020

Yes, AD has a "magic string" (1.2.840.113556.1.4.1941) that I go into more detail on this answer https://community.splunk.com/t5/All-Apps-and-Add-ons/How-can-I-flatten-nested-Active-Directory-group...

But here is a working search for a single user that would give the output you mentioned:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer))(cn=username))" attrs="cn,memberOf"
| eval type="Direct"
| rename memberOf AS Group
| mvexpand Group
| append 
    [| ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn"
    | rename dn AS Group
    | table Group 
    | eval type = "Nested"
    ]
| filldown cn
| stats values(type) AS type BY Group cn 
| rename cn AS User
| eval type = if(match(type,"Direct"),"Direct",type)
| table User Group type

Can I use the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) to enumerate group membership for a specified user?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!