I am trying to get all the members of a group in two different Active Directories (AD) domains of the same company.
To do that I get first the full Distinguished Name (DN) of each group from the Active Directory Users and Computers (ADUC) Attribute Editor as specified here.
The first group DN is:
*CN=first-group,OU=organization-unit-name,DC=first,DC=company,DC=com*
The second group DN is:
*CN=second-group,OU=$Customer,OU=one,OU=two,OU=three,OU=four,DC=second,DC=company,DC=com*
Then I use the two following LDAP query filters in C# (I also tried them in ADUC).
For the domain first.company.com and the first-group I apply the following filter:
*(&(objectCategory=*)(memberOf=CN=first-group,OU=organization-unit-name,DC=first,DC=company,DC=com))*
And I get 123 Results as expected/
For the domain second.company.com and the second-group I apply the following filter:
*(&(objectCategory=*)(memberof=second-group,OU=$Customer,OU=one,OU=two,OU=three,OU=four,DC=second,DC=company,DC=com))*
However now I get only one result. in more detail myself. This is not what was expected.
I do know alternate ways to find the expected result in the ADUC by clicking in the Members tab once selecting the second-group but I need an LDAP filter to do it because I want to do get the results in C#.
Does anybody knows what the $Customer is doing? What the dollar means in general in an LDAP filter?
I tried the filter without Ou=$Customer but it returns no results.
Thanks for the helping!
There are two LDAP Queries that will work for Microsoft Active Directory: Resolves all members (including nested) security groups (requires at least Windows 2003 SP2)
Or to retrieve only users:
If you only want direct members, drop the ":1.2.840.113556.1.4.1941:" from each query.
In a LDAP filter there the $ means "$". (ie it is just a character)