4.6. Query Active Directory Group

4.6. Query Active Directory Group
Prev	4. Query Examples	Next

The command below displays all attributes for each entry where both simple filters are true, matching on attributes objectClass and sAMAccountName (in this case, the group's name).

ldapsearch \
    '( &
        (objectClass=group)
        (sAMAccountName=SOME_GROUP_NAME)
    )' \
    '*' +

Microsoft maintains documentation with lists and descriptions of attributes. Note that the lists show CNs (common names), and the LDAP display name may differ. E.g., CN SAM-Account-Name corresponds to LDAP attribute sAMAccountName, and CN Is-Member-Of-DL corresponds to LDAP attribute memberOf. Below is a list of relevant links.

A command like the one below will list possible attributes for a group.

ldapsearch \
    -b 'CN=Schema,CN=Configuration,DC=example,DC=com' \
    -s one \
    '( &
        (objectClass=classSchema)
        (cn=group)
    )' \
    '*' +

Microsoft Active Directory distinguishes between two types of groups through attribute sAMAccountType:

268435456 (0x10000000)
- SAM_GROUP_OBJECT
- e.g., under OU=Application Access Groups,OU=Groups,DC=foo,DC=example,DC=com
- e.g., used to control permissions
268435457
- SAM_NON_SECURITY_GROUP_OBJECT
- e.g., under OU=Distribution Groups,OU=Groups,DC=foo,DC=example,DC=com
- e.g., used for email distribution lists

Prev	Up	Next
4.5. Query Active Directory User	Home \| ToC	5. Resources