I have a local group on my computer Grp1 to which I want to check membership of domain users. I have already used NetUserGetLocalGroups for this. But the problem I encounter is when the domain user is not a direct member of the group Grp1. For example, let's say there are two domain groups say DomainGrp1 and DomainGrp2. Now, my user DomainUser1 is part of group DomainGrp2 and the DomainGrp2 is part of DomainGrp1 and the group DomainGrp1 is part of the local group Grp1. If I use this NetUserGetLocalGroups in the aforementioned scenario, the API doesn't enumerate Grp1 for DomainUser1 but in actual the DomainUser1 is part of the Grp1 indirectly.
Also please note that if the DomainUser1 is directly member of DomainGrp1 instead of DomainGrp2 (with the DomainGrp1 be the member of Grp1). The API enumerates the Grp1 perfectly. Could somebody help me with this problem?
I have tried impersonation using LogonUser API. But the problem I have is when the user is marked for changing password at next log on. Then the API returns false and hence I cannot get the impersonation token.
PS: I don't want to use any Directory Services API.
I could find similar problem on MSDN link
Related
Is there an API that lets an application send invitations and requests to join a group?
I have checked the Google Directory API at https://developers.google.com/admin-sdk/directory/v1/reference/, but all I can find is the members API that lets an application directly add members.
What I am looking for is :
- to send a request to join a group,
- to list, accept or reject such requests,
- to send an invitation to join a group,
- to list, accept or reject such invitation.
I had no luck checking the reference, a google search and a search on stack overflow also turned out nothing. Does anyone know if such an API even exist, and if so, where can I find the documentation?
Currently there seems to be no ad-hoc API method for that. The currently supported group operations can be found in Directory API: Group Members namely: add member, update group membership, retrieve a group member, retrieve all group member and delete member. You'd have to implement the other functionalities you mentioned.
I'm using FreeIPA as an LDAP-backend for my flask-app. So far I've used flask-simpleldap with OpenLDAP to get the group membership of a user, which works fine with the following options:
LDAP_BASE_DN="dc=myrealm,dc=com"
LDAP_REALM_NAME="MyFunRealm"
LDAP_OBJECTS_DN="dn"
LDAP_USER_OBJECT_FILTER="(&(objectclass=inetorgperson)(uid=%s))"
LDAP_GROUP_MEMBERS_FIELD="member"
LDAP_GROUP_OBJECT_FILTER="(&(objectclass=groupofnames)(member=%s))"
LDAP_GROUP_MEMBER_FILTER="member=%s"
LDAP_GROUP_MEMBER_FILTER_FIELD="cn"
I want to change the LDAP structure of my users to place groups inside groups, but the above settings only gives the users' "first level" group. (Sorry I'm unfamiliar with LDAP and it's terminology).
How can I change the query/filter to get a list of all groups the user is a member of through group-in-group membership?
I don't think it is possible considering your setup (ie flask + openldap)
OpenLDAP does not (from my knowledge) have built in mechanism to perform filter on nested groups.
And flask does the request for you, so you can't implement the recursive search easily.
In other directory (AD for example) you can specify the extensible matching rule for filtering nested groups, something along this line :
(&(objectclass=groupofnames)(member:1.2.840.113556.1.4.1941:=%s))
But this specific extensible matching rule does not exist in OpenLDAP
I want to use Graph API to get Hometown information from members of a specific group.
How can I do it?
I am retrieving Name without problem but not the other fields.
On graph explorer I try this string :
GET GROUP-ID-NUMBER/members?fields=name
But if I use this string, I get only Administrator,ID, Name Field
GET GROUP-ID-NUMBER/members?
I want to make group statistics and I want to known also members hometown.
To get more information members of the group must authorize your app with correct permissions for Hometown. You must also be a member of the same group for that purpose. so you need to have an app and you will get only those members correct information who will authorize your app.
I'm designing a REST service which organizes groups and users.
For example:
GET /groups - gets all the groups
GET /groups/1 - gets a specific group
GET /groups/1/users - gets the users in the group
GET /users/1 - the actual user, which may be in multiple groups
POST /groups/1/users - with the post parameters of user_id=1 to add a user to a group
What would be the appropriate way to handle this?
DELETE /groups/1/users/1 seems to be a valid way to do it but then the GET to the same url would return the user record which is a duplicate of the resource /user/1?
or should it be DELETE /groups/1/users?user_id=1?
Wondering which is the most RESTful way to do this.
I think that a good design would make explicit the membership of a user within a particular group - as a separate resource. So, there are groups, users, and the membership of a user within a group.
Therefore, GET /groups/1/users would return a list of membership resource identifiers: /groups/1/users/{member_id} on which you could do a DELETE. Each of these "memberships" is of course associated with a particular user, so you would have to somehow know which member_id is associated with which user_id. The easiest way to do this is to make member_id have the same semantics as user_id, as you suggest in the question (so /groups/1/users/1 means "user 1's membership in group 1"). Following that, if you do a GET on /groups/1/users/{member_id} you could just redirect to /users/{user_id}. Or in a more complex example, this resource would no redirect to a user but link to it and also include some other information, for example the date when the user joined the group, her status in the group, etc.
The other option I can think of would utilize the PATCH method to modify the collection resources (/groups/1/users): see https://www.rfc-editor.org/rfc/rfc5023. But using a DELETE seems more natural.
I am currently working on a project where I need to query Active Directory to determine group membership of a user. I initially was locating the user and retrieving the memberOf attribute. The problem with this is that there is a domain and a child domain. The groups are universal groups so they can be used in both domains and they don't show up in the memberOf attribute. Unfortunately there doesn't seem to be much info around for Active Directory access with C++. Is there anyway to determine group membership in this case in C++?
If you are using managed C++, you can use UserPrincipal.GetAuthorizationGroups.
If you are not using managed C++, to solve this particular problem, you should bind to Global Catalog and do a LDAP search on the member attribute of the group object to find out which Universal Group containing the user. You should limit your search by specifing the groupType, objectCategory and objectClass.
However, like I mentioned in another post , group enumeration in general is very hard to do it right. If you just need to find out all the groups a user belongs to, your best bet is to use S4USelf