Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I use the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) to enumerate group membership for a specified user?

danielansell
Path Finder
‎09-19-2018 06:09 AM

I have seen how the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) can give me a list of all groups, and enumerate their membership, to include both nested and direct membership. I have also seen how I can retrieve all users, and the groups which they are a member of.

Does anyone have a search where I can search Active Directory with SA-ldapsearch, specify a user, and enumerate all group membership, to include any inherited groups?

Desired Results:
User | Group | Membership Type
John.Doe | Domain Users | Direct
John.Doe | Accounting | Direct
John.Doe | Finance Dept. | Nested

I believe I had some success achieving this with the data from Active Directory monitoring - however, I'd prefer to use SA-ldapsearch for this.

0 Karma
Reply

worshamn
Contributor
‎07-28-2020 02:29 PM

Yes, AD has a "magic string" (1.2.840.113556.1.4.1941) that I go into more detail on this answer https://community.splunk.com/t5/All-Apps-and-Add-ons/How-can-I-flatten-nested-Active-Directory-group...

But here is a working search for a single user that would give the output you mentioned:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer))(cn=username))" attrs="cn,memberOf"
| eval type="Direct"
| rename memberOf AS Group
| mvexpand Group
| append 
    [| ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn"
    | rename dn AS Group
    | table Group 
    | eval type = "Nested"
    ]
| filldown cn
| stats values(type) AS type BY Group cn 
| rename cn AS User
| eval type = if(match(type,"Direct"),"Direct",type)
| table User Group type

 

0 Karma
Reply
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...