Active Directory Group Membership Tip

A very common need is to determine what users are in an Active Directory group. However, group membership in Active Directory is not a single-level thing. A user can be a member of a group through an indeterminate number of other groups. For example, a user could be in group A, and group A is in group B, and group B is in group C, etc… Therefore, when trying to determine what users are in group C, you can’t just look at the members property of the group.
This has very real implications when trying to determine how a user got a specific permission and in determining if a user received an e-mail sent to a distribution group. One distribution group could contain another, which contains another, etc.
Fortunately, there is an easy solution. Instead of just looking for users with a memberOf property that matches the group, we us a microsoft-specific matching rule. Implementation specific matching rules are part of the LDAP standard and Microsoft has implemented a rule that solves our nested group problem.

Here is the LDAP query that returns all users in a group, regardless of how they are a member (direct or through another group/groups):
(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=your group,ou=dn,dc=goes,dc=here))

Without requiring (objectClass=user), this query would return all users AND groups, which could cause confusion if disabling all user accounts that received a malicious email to a distribution list.

The :1.2.840.113556.1.4.1941: is an OID (just like OIDs in SNMP - any vendor can implement a custom one) of a custom matcher.
For more information, here’s the microsoft documentation on this hidden gem: https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax

Happy SOARing!

4 Likes

We use this LDAP to find disabled user account members of a group:

(&(UserAccountControl=514)(memberOf=CN=YourGroupName,OU=YourGroupOU,DC=YourDomain>,DC=net))

We then take the results, loop through them and remove the user from the group in question. We also log the user being removed into a Global Artifact for audit purposes. This is a simple workflow that could be scheduled for every 6 hours if needed. E.g. “VPN Access” AD Group or some other compliance-controlled group.

2 Likes