Nested Security Groups and Finicky LDAP Search Filters

by Doug on July 13, 2010

in Active Directory,AD LDS,ADAM,LDAP,Search Filter,Windows

Scenario:

Imagine, if you will, an organization has a directory structure that comprises a number of Organizational Units and, within each OU, there can be one or more Security Groups.  Each security group within its respective OU has one or more nested member groups tied to it from a container called “Groups” off the root of the DC.  Each of these groups has users as members from the built-in Users container.  As a result, no user will ever be placed directly into his/her respective OU, but simply tied to a group from the “Groups” container.

Problem:

When using a normal search filter (see following example), no users will be found since said search filter will only look to the same level as the OU/Security Group and nothing nested.

(&(memberOf=cn=Group1,OU=OU1,DC=IDG,DC=LOCAL))

Solution:

If there are nested groups, you will need to add an additional search parameter OID that will tell the search filter to “walk the chain of ancestry objects all the way to the root until it finds a match”.  See the following example filter for how this filter is written:

(&(memberOf:1.2.840.113556.1.4.1941:=cn=Group1,OU=OU1,DC=IDG,DC=LOCAL))

For this example, we will simply say that the Group1 security group in the filters has two nested groups attached to it from a container outside of the OU where this security group resides.  This filter will then return all users tied to the nested security groups.

Additionally, say that you need to concatenate a number of search filters to limit the scope of who can be enrolled during a delayed rollout.  You will need to switch the operator from “&” to “|” so that you can effectively pull users from both search filter locations.  See the example below:

(|(memberOf:1.2.840.113556.1.4.1941:=cn=Group1,OU=OU1,DC=IDG,DC=LOCAL)
(memberOf:1.2.840.113556.1.4.1941:=cn=Group2,OU=OU2,DC=IDG,DC=LOCAL))

I hope this helps should you find yourself in the same predicament.

Leave a Comment

Previous post:

Next post: