stackoom
  简体   繁体   中英

SQL with Active Directory and nested groups/users

 原文  2014-11-20 19:34:36       sql/ sql-server-2008-r2/ active-directory/ openquery

Question

i have one AD group that contains 5 users. 3 of the users are from the Domain1 and 2 are from a trusted Domain2

i have a problem getting the users from domain2 after i read out what users have access to what groups.

I'm using openquery to adsi. ( The domain and servers are 2008 R2 )

This is an expansion of this topic

Query AD Group Membership Recursively Through SQL

Update This is the query but im getting error : 

select samAccountName,distinguishedName 
            FROM OPENQUERY(ADSI,'
                SELECT samAccountName,distinguishedName 
                FROM ''LDAP://domain/DC=...,DC=....,DC=....''
                WHERE 
                    objectCategory=''user'' AND
                    memberof:1.2.840.113556.1.4.1941:= ''CN=..,OU=..,DC=...,DC=....,DC=....'' ')

This is my query that workes but im not getting the nested groups OR users from other domain. 

select samAccountName,distinguishedName 
            FROM OPENQUERY(ADSI,'
                SELECT samAccountName,distinguishedName 
                FROM ''LDAP://domain/DC=...,DC=....,DC=....''
                WHERE 
                    objectCategory=''user'' AND
                    memberof= ''CN=..,OU=..,DC=...,DC=....,DC=....'' ')

1 answers

solution1
 0 ACCPTED  2014-11-21 09:14:06

No knowledge on openquery to adsi. Only some comments:

  • On second search statement, should use memberOf instead of member
  • FSPs are used to represent security principal from foreign forest. See http://msdn.microsoft.com/en-us/library/cc223700.aspx . The only hint to get back the user/group from FSP is the SID in objectSID attribute. But there seems no easy way to do this. See Accessing Foreign Security Principals
  • You can only get direct member or containing group using member and memberOf attribute but not nested one
  • Group members due to primary group are not listed in member and memberOf at all.

UPDATE:

Okay, according to your link Query AD Group Membership Recursively Through SQL ,
the following should work: 

SELECT samAccountName,distinguishedName
    FROM OPENQUERY (ADSI, '<LDAP://domain/DC=...,DC=....,DC=....>;
    (&(objectCategory=user)(member:1.2.840.113556.1.4.1941:=CN=..,OU=..,DC=...,DC=....,DC=....));samAccountName, distinguishedName;subtree');

Also, please check the functional level according to:

http://www.technipages.com/active-directory-how-to-check-domain-and-forest-functional-level

The ":1.2.840.113556.1.4.1941:=" syntax requires functional level of 2008 R2.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Active Directory - Get users and groups, member of a particular group Store Active Directory Users in a SQL Database Get the list of Users from Security group in active directory using SQL Moving users from SQL Server table to Active Directory Using PS to query SQL for list of users, then disable Active Directory accounts? Users and Groups: 3 or 2 tables (SQL) SQL query to run LDAP query to return AD listing of active users and then groups they are assigned to that start with GRP-XP% SQL query for active users Calculate Running total of active users by groups SQL Server Security: prevent authorized Active Directory users from reading data
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM