tags:

views:

73

answers:

2
Q: 

LDAP: How to get all users and groups from Active Directory

I am trying to get all the users and their associated groups from an Active Directory server, using a LDAP query. Apparently, Active Directory doesn't give me the primary group of the users. For example, this search:

(objectclass=user)

produces this result:

# Test User, Users, sub.domain.net
dn: CN=Test User,CN=Users,DC=sub,DC=domain,DC=net
....
memberOf: CN=Domain Admins,CN=Users,DC=sub,DC=domain,DC=net
memberOf: CN=Administrators,CN=Builtin,DC=sub,DC=domain,DC=net
....
primaryGroupID: 515
....

The primary group for this user is Test Group (I know this because I created this user/group pair) so let's take a look at that one:

# Test Group, Users, sub.domain.net
dn: CN=Test Group,CN=Users,DC=sub,DC=domain,DC=net
objectClass: top
objectClass: group
cn: Test Group
distinguishedName: CN=Test Group,CN=Users,DC=sub,DC=domain,DC=net
instanceType: 4
whenCreated: 20101014151945.0Z
whenChanged: 20101015141656.0Z
uSNCreated: 41007
uSNChanged: 41133
name: Test Group
objectGUID:: aQH58S0MWU2Fu/Cli72u0A==
objectSid:: AQUAAAAAAAUVAAAAIzgCYuz3AhjZk27UXgQAAA==
sAMAccountName: Test Group
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=sub,DC=domain,DC=net
dSCorePropagationData: 16010101000000.0Z

How am I supposed to associate the users with their primary groups? All I get when I list a user's properties is a primaryGroupID property, but its value is nowhere to be found in the whole LDAP database (objectclass=*).

+1  A: 

It's the wrong language, but this KB article specifically talks about using the primarygroupID attribute to find the SID for the primary group:

How to use the PrimaryGroupID attribute to find the primary group for a user

You may be able to use that as a starting point in your own code.

Damien_The_Unbeliever  2010-10-19 08:07:25
I've found a similar code in ruby: http://www.boost.co.nz/blog/ruby-on-rails/extracting-active-directory-sids-with-ruby/
Tom  2010-10-19 09:04:32
A: 

This (vbscript) example on how to set a users primary group may give you some conclusion:

oGroup.GetInfoEx Array("primaryGroupToken"), 0
oUser.PrimaryGroupID = oGroup.PrimaryGroupToken
oUser.SetInfo

As you see, you have to match the PrimaryGroupID property of the user to the PrimaryGroupToken property of the group (&(objectclass=group)(PrimaryGroupToken=UsersPrimaryGroupID)) or similar.

Silvan  2010-10-19 08:12:28
Unfortunately, the PrimaryGroupToken is a constructed attribute - computed by the ADSI provider, and not retrievable via LDAP.
Damien_The_Unbeliever  2010-10-19 08:20:42
Thanks for trying @Silvan, but @Damien_The_Unbeliever is right. That field is computed on the client by some bullshit MS library.
Tom  2010-10-19 08:55:02

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases