Getting Data In

Can I use the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) to enumerate group membership for a specified user?

danielansell
Path Finder

I have seen how the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) can give me a list of all groups, and enumerate their membership, to include both nested and direct membership. I have also seen how I can retrieve all users, and the groups which they are a member of.

Does anyone have a search where I can search Active Directory with SA-ldapsearch, specify a user, and enumerate all group membership, to include any inherited groups?

Desired Results:
User | Group | Membership Type
John.Doe | Domain Users | Direct
John.Doe | Accounting | Direct
John.Doe | Finance Dept. | Nested

I believe I had some success achieving this with the data from Active Directory monitoring - however, I'd prefer to use SA-ldapsearch for this.

0 Karma

worshamn
Contributor

Yes, AD has a "magic string" (1.2.840.113556.1.4.1941) that I go into more detail on this answer https://community.splunk.com/t5/All-Apps-and-Add-ons/How-can-I-flatten-nested-Active-Directory-group...

But here is a working search for a single user that would give the output you mentioned:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer))(cn=username))" attrs="cn,memberOf"
| eval type="Direct"
| rename memberOf AS Group
| mvexpand Group
| append 
    [| ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn"
    | rename dn AS Group
    | table Group 
    | eval type = "Nested"
    ]
| filldown cn
| stats values(type) AS type BY Group cn 
| rename cn AS User
| eval type = if(match(type,"Direct"),"Direct",type)
| table User Group type

 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...