Querying the “member” attribute of a group in Active Directory or other LDAP directories returns the user’s distinguished name. PeopleUpdate, part of Web Active Directory’s PeoplePlatform, gives administrators the power to configure user display by any of their attributes (for example their email address) when users are perusing or editing members of a group. (Not only their distinguished name which wouldn’t be very friendly or their CN which isn’t always useful.) The techniques about how best to do this are discussed in this article. There isn’t a solution which will meet every need all the time.
Active Directory is Not a Relational Database
Active Directory isn’t a relational database and this is one place where one would wish that it acted like one. We would like to query the “member” attribute and join these results with the user objects. This would get us more user attributes for display. What are our options for doing this?
Solutions: Complete, but Poor Performance
Two solutions are of the more brute force type which give complete solutions but poor performance.
- Enumerate every user in your directory and check their “memberOf” to see if they are a member of the group in question giving access to their other attribute(s). This option works OK but in practice querying all users in your directory is too expensive and slow.
- Enumerate the group to get a list of Distinguished Names in the “member” attribute then do a sub-query (lookup) on each user DN to find their other attribute(s). This option again does the job but so many queries are impractical and too slow with larger groups.
Solutions with Better Performance, but Tradeoffs
Other solutions have pros and cons from a completeness, simplicity, and performance perspective:
- Use a query on all users with a “memberOf” filter as: (&(objectCategory=Person)(memberof=CN=TheGroup, DC=Domain,DC=com))
This option is better than #1 and #2 from a performance perspective. Because you use “memberOf” you’re getting the users you need not doing any particular expensive queries. This won’t get you users whose primary group is the group in question. You will not get transitive group membership where users are members because they belong to a group which itself is a member of that group. (This is the simple case; there could be several degrees of separation.) For this you need: (|(memberof:1.2.840.1135220.127.116.111:=CN=TheGroup, DC=Domain,DC=com)(primarygroupid=GroupRID)) where the GroupRID is the last four of the group’s SID. This latter solution has the drawback of also perhaps being slow.
- Use an Attribute Scope Query. In the case of group membership, it’s a way of doing a kind of “join” on the “member” property of a particular group to get all the details and properties of its members that you want. It only takes two queries: one to get the group, and the other to get its members. This method can be used with ADSI: https://msdn.microsoft.com/en-us/library/aa746418(v=vs.85).aspx or with System.DirectoryServices.Protocols: https://msdn.microsoft.com/en-us/library/bb332056.aspx . This solution will not get you primary group membership nor will it work across domains.
No Solution Fits Every Need
Sometimes when dealing with LDAP directory solutions and Active Directory specifically there aren’t solutions where one choice perfectly satisfies all situations. A good identity management solution will pick smart defaults for administrators who don’t know or care about these details. Such a system should let administrators who do care about them make informed choices based on their needs. PeoplePlatform is an identity management solution that has intelligent defaults but lets administrators make choices without themselves having to get into the messy details.