Getting Data In

Trouble authenticating ALL Active Directory users


I'd like to open my Splunk system up to all of our AD users rather than mapping particular groups as we've in the past. I've been trying to accomplish this by mapping the built in Domain Users group but I can't seem to get it to show up in the mapping screen. I do get the Domain Admins and Domain Guests which are in the same OU/Container just not Domain Users. Here is my current authentication.conf (some names changed to protect the innocent)

authSettings = Active Directory
authType = LDAP

[roleMap_Active Directory]
admin = Splunk Admins
managers = Splunk Managers
power = SysAdmins;Splunk Power Users
user = SysAdmins;Splunk Power Users;Splunk Users

[Active Directory]
SSLEnabled = 0
anonymous_referrals = 0
bindDN =
bindDNpassword = $1$AoUBf6Io02h4
charset = utf8
groupBaseDN = OU=CustomGroupOU1,DC=our,DC=domain,DC=net;OU=Groups,OU=CustomGroupOU2,DC=our,DC=domain,DC=net;CN=Users,DC=our,DC=domain,DC=net
groupBaseFilter = (|(cn=IT*)(cn=Splunk*)(cn=Domain*))
#groupMappingAttribute = dn
groupMappingAttribute = distinguishedname
groupMemberAttribute = member
#groupNameAttribute = cn
groupNameAttribute = name
host =
nestedGroups = 0
network_timeout = 29
port = 389
realNameAttribute = cn
sizelimit = 100000
timelimit = 28
userBaseDN = OU=CustomUserOU,DC=our,DC=domain,DC=net;CN=Users,DC=our,DC=domain,DC=net
userNameAttribute = samaccountname

I really don't have any AD management experience so I suspect I'm misunderstanding something here, any help would be greatly appreciated!

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

I know this is a post from 2013. But I thought that might help someone. I was doing a lab with MS AD myself. I noticed the very same behaviour for 'Domain Users' group. 

The problem comes from the implementation of the Microsoft AD. Due to the fact that Domain Users is something called 'Primary Group' 

The Domain Users group uses a "computed" mechanism based on the "primary group ID" of the user to determine membership and does not typically store members as multi-valued linked attributes. If the primary group of the user is changed, their membership in the Domain Users group is written to the linked attribute for the group and is no longer calculated. This was true for Windows 2000 and has not changed for Windows Server 2003.

Full discussion can be found here: 
More info in detail can be read here:

0 Karma

Path Finder

Did you by chance figure this out? I'm trying to add 'Domain Users' but can't seem to get Splunk to find it.
I'm told it lives in "CN=Users,DC=our,DC=domain,DC=net" ... but still no go!

0 Karma


If you are trying to map roles via AD, which is what I see, you will need to create a new OU that contains all Splunk users not in the other 2 OU's. Splunk is not very great at AD...

0 Karma


That "user role" will override your admin role.

0 Karma


What I'm really aiming for is to have all AD users automatically get "user role" access without needing to add them to a specific group.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...