I have seen how the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) can give me a list of all groups, and enumerate their membership, to include both nested and direct membership. I have also seen how I can retrieve all users, and the groups which they are a member of.
Does anyone have a search where I can search Active Directory with SA-ldapsearch, specify a user, and enumerate all group membership, to include any inherited groups?
Desired Results:
User | Group | Membership Type
John.Doe | Domain Users | Direct
John.Doe | Accounting | Direct
John.Doe | Finance Dept. | Nested
I believe I had some success achieving this with the data from Active Directory monitoring - however, I'd prefer to use SA-ldapsearch for this.
Yes, AD has a "magic string" (1.2.840.113556.1.4.1941) that I go into more detail on this answer https://community.splunk.com/t5/All-Apps-and-Add-ons/How-can-I-flatten-nested-Active-Directory-group...
But here is a working search for a single user that would give the output you mentioned:
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer))(cn=username))" attrs="cn,memberOf"
| eval type="Direct"
| rename memberOf AS Group
| mvexpand Group
| append
[| ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn"
| rename dn AS Group
| table Group
| eval type = "Nested"
]
| filldown cn
| stats values(type) AS type BY Group cn
| rename cn AS User
| eval type = if(match(type,"Direct"),"Direct",type)
| table User Group type