What permissions are required for enumerating users groups in Active Directory

active-directory ldap

On your domain object, you need to assign the querying user the "Read MemberOf" right to User objects.

  • Open AD U&C browse to your domain object
  • Right click and go to properties:

    adu-n-c-domain

  • Security tab, click Advanced
  • Click Add
  • Enter the user name to add
  • Click the Properties tab
  • In 'Apply Onto' change the type to User
  • Click the "Read MemberOf" checkbox:

    ldap-read-member-of

  • OK out of there

That should set it up so that the specified account can read the group memberships of all User accounts in the domain.


I had a similar issue and solved it on another level with a request to the AD:

(&(objectClass=group)(objectClass=top)(member=UserDN))

for the "dn" attribute.

As groups are readable by default, this will return an equal result to the "membersOf" property.

I know this is not really an answer to the permission question, but i landed here searching for a way to get the memberOf property without a permission-change in AD.

Related

Wireshark Display Filter protocol==TLSV1? (and PacketLength)
What consumes memory in java process?
What is the difference between keepalive and heartbeat?
How can I automatically cycle a new image in an AWS Auto Scaling Group?
Vagrant forward a range of ports
How to back up a running Linode server?
Hyper-V on Windows 7?
How do I get /dev/random to work on an Ubuntu virtual machine?
backslash at the beginning of a command
Is there an open source tool to map SFTP connections as a Windows mapped drive? [closed]
Override MAILTO for a single crontab entry
Is there any way to disable grouping databases in phpMyAdmin?