I am trying to find a way through this already discussed problem but still unable to get to the final step.
We are in process of generating a XLS sheet listing down all the users from the certain AD groups recursively.
Note: We can not use memberOf:1.2.840.113556.1.4.1941 as we need to capture the parent group of every group/user.
We have written a Java program to achieve this and have been almost near completion. But we are unable to get the subdomain users for the parent domain AD group.
Scenario: We have 2 domains
- DOMAIN.COM
- SUBDOMAIN.DOMAIN.COM
We have an AD group in parent domain (CN=My_Consumer,OU=Groups,DC=DOMAIN,DC=COM). It contains around 1,000 direct members under DOMAIN and close to 3,000 members under SUBDOMAIN. To extract the list of these members, we are connecting and querying independently on each domain and trying to get the members of the AD group.
For DOMAIN: we are connecting to ldaps://DOMAIN.COM:636 URL and successfully able to retrieve 1000 members.
For SUBDOMAIN: we are connecting to ldaps://SUBDOMAIN.DOMAIN.COM:636 and searching using below query filter, but no users are returned.
(&(objectClass=User)(objectCategory=Person)(memberOf=CN=My_Consumer,OU=Groups,DC=DOMAIN,DC=com))
Puzzling thing is, the same filter criteria returns correct results when tried through ActiveDirectory explorer UI tool.
I am missing anything? I am stuck on this since 2 days with no clue why it is not returning any user under subdomain.
Any pointer will be very much appreciated.
I am not sure that I understand the structure of the catalog exactly, but it seems to me that memberOf domain and subdomain are not equals.
May be they are: memberOf=CN=My_Consumer,OU=Groups,DC=DOMAIN,DC=com memberOf=CN=My_Consumer,OU=Groups,**DC=SUBDOMAIN,**DC=DOMAIN,DC=com