I have seen how the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) can give me a list of all groups, and enumerate their membership, to include both nested and direct membership. I have also seen how I can retrieve all users, and the groups which they are a member of.
Does anyone have a search where I can search Active Directory with SA-ldapsearch, specify a user, and enumerate all group membership, to include any inherited groups?
User | Group | Membership Type
John.Doe | Domain Users | Direct
John.Doe | Accounting | Direct
John.Doe | Finance Dept. | Nested
I believe I had some success achieving this with the data from Active Directory monitoring - however, I'd prefer to use SA-ldapsearch for this.
But here is a working search for a single user that would give the output you mentioned:
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer))(cn=username))" attrs="cn,memberOf"
| eval type="Direct"
| rename memberOf AS Group
| mvexpand Group
[| ldapsearch search="(&(objectClass=group)(member:1.2.840.113518.104.22.1681:cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn"
| rename dn AS Group
| table Group
| eval type = "Nested"
| filldown cn
| stats values(type) AS type BY Group cn
| rename cn AS User
| eval type = if(match(type,"Direct"),"Direct",type)
| table User Group type