Title: Enumerate a user's Active Directory Security group membership
Question: How can i get all group memberships of an Active Directory user account?
Answer:
This Article based on my Articles in this Community.
-Group Policy Attributes in the Active Directory
-Query against the Active Directory by LDAP
*************************************************************************************
The PrimaryGroupToken and TokenGroups attribute of a user object in the active directory is an constructed attribute, which means that the property is constructed on the client by the Active Directory Service Interface(ADSI) provider and not stored as data in the AD.
The PrimayGroupToken attribute does not enumerate the nested groups! To list all of the security groups that a user object is a member of you must query the TokenGroups attribute. The SID for the group is stored in its binary form in the TokenGroups attribute, is not human-readable and cannot used to bind to the group object in the AD. The SID must be converted to bind to an object.
You have to register the ADsSecurity.dll on the Client that runs the program(run at the command prompt -REGSVR32.EXE ADsSecurity.DLL-) and import this dll into Delphis IDE too. The IADsSID object that is exported by ADsSecurity.dll can be used to convert the binary SID into a Security Account Manager (SAM) account name or a LDAP DN. AdsSecurity.dll is available as part of ADSI Software Development Kit by Microsoft.
******************************************************************************************
procedure Tfm_main.Button1Click(Sender: TObject);
var SQL,DOMAIN,USER,DN,DOM_ID,SPACE:string;
t:_recordset;
n,x:byte;
obj:iadsuser;
grp:array of olevariant ;
SID:IADsSID;
pgrp:IADS;
list:Tstringlist;
begin
DOMAIN:='''LDAP://dc=yourdomain,dc=domainextension''';
listbox2.Clear;
try
//**************************************************************************
// some information of the current logged in user
//***************************************************************************
USER:=''''+username+''''; // current user
SQL:='select displayname,createtimestamp,distinguishedname from '+DOMAIN+' where objectclass='+'''user'''+' and cn='+USER;
cmd.CommandText:=SQL;
t:=cmd.Execute;
// normally the resultset is filled in order of the query
// arguments and starts with 0 the filling of the resultset by
// the DomainController starts with the last search argument of
// the SQL Select order in this example the argument displayname
// is not resultset[0] but resultset[2]
listbox2.Items.Add('Account: '+USER);
listbox2.Items.Add(' -Created at: '+datetostr(t.Fields[1].value)+' '+timetostr(t.Fields[1].value));
listbox2.Items.Add(' -Displayname: '+t.Fields[2].value);
DN:=t.Fields[0].value;
listbox2.Items.Add(' -Distinguishedname: '+DN);
//**************************************************************************
// get primary group membership
// (not confuse to PrimayGroupToken attribute!)
//***************************************************************************
obj:=MKGetObject('LDAP://'+DN) as IAdsuser;
SID:=coADsSID.create;
SID.SetAs(ADS_SID_ACTIVE_DIRECTORY_PATH, 'LDAP://'+DN);
DOM_ID:=SID.GetAs(ADS_SID_SDDL); // get domain RID + user RID
x:=0;
for n:=length(DOM_ID) downto 0 do
if copy(DOM_ID,n,1) '-' then
inc(x)
else
break;
DOM_ID:=copy(DOM_ID,1,length(DOM_ID)-x); //only domain RID is needed
DOM_ID:=DOM_ID+inttostr(obj.Get('primarygroupid'));
SID.SetAs(ADS_SID_SDDL ,DOM_ID);
pgrp:=MKGetObject('LDAP://') as IADS;
listbox2.Items.Add('');
listbox2.Items.Add(' -Primary Group Membership:'+pgrp.Get('cn'));
//******************************************************************
// get security group memberships
//********************************************************************
setlength(grp,1);
grp[0]:='TokenGroups'; //the TokenGroups attribute is by default not in the local cache
obj.GetInfoEx(grp,0); // first load grp[0] into local cache
grp:=obj.get(grp[0]); // get binary code of all groups
list:=tstringlist.Create; // only for alphabetic reading
list.Sorted:=true;
SPACE:=' ';
for n:=0 to high(grp) do begin // convert binary code and bind it to group object
try
SID.SetAs(ADS_SID_RAW,grp[n]);
DOM_ID:=SID.GetAs(ADS_SID_SDDL);
SID.SetAs(ADS_SID_SDDL ,DOM_ID);
DOM_ID:=SID.GetAs(ADS_SID_HEXSTRING);
pgrp:=MKGetObject('LDAP://') as IADS;
list.add(pgrp.Get('cn'));
except
on exception do // maybe group is always deleted
list.add(' ID='+SID.GetAs(ADS_SID_SDDL)+' is missing !!');
end;
end;
listbox2.Items.Add('');
listbox2.Items.Add(' -Member of '+inttostr(list.Count)+' Groups,lines without -(Member)- are nested groups');
for n:=0 to list.Count - 1 do
listbox2.Items.Add(SPACE+list.Strings[n]);
grp:=obj.get('memberof');
for n:=0 to high(grp) do begin
dn:=SPACE+copy(grp[n],4,pos(',',grp[n])-4);
if listbox2.items.IndexOf(dn) -1 then
listbox2.Items.Strings[listbox2.Items.IndexOf(dn)]:=dn+SPACE+SPACE+SPACE+'(Member)';
end;
adoconnection1.Connected:=false;
list.Free;
except
on exception do showmessage('Error');
end;
end;
function Tfm_main.username:string;
var userName: array[1..100] of Char ;
arrSize: DWord;
begin
arrSize := SizeOf(UserName);
GetUserName(@UserName, arrSize);
result:=copy(username,1,arrsize-1);
end;
function Tfm_main.mkGetObject(const Name : String): IDispatch;
var
Moniker : IMoniker;
Eaten : Integer;
BindContext : IBindCtx;
Dispatch : IDispatch;
begin
OleCheck(CreateBindCtx(0, BindContext));
OleCheck(MkParseDisplayName(BindContext, PWideChar(WideString(Name)), Eaten, Moniker));
OleCheck(Moniker.BindToObject(BindContext, NIL, IDispatch, Dispatch));
Result := Dispatch;
end;
end.