Query to list all users of a certain group

Question

How can I use a a search filter to display users of a specific group?

I've tried the following:

(&     (objectCategory=user)     (memberOf=MyCustomGroup) ) 

and this:

(&     (objectCategory=user)     (memberOf=cn=SingleSignOn,ou=Groups,dc=tis,dc=eg,dc=ddd,D‌​C=com) )    

but neither display users of a specific group.

Answer 1

memberOf (in AD) is stored as a list of distinguishedNames. Your filter needs to be something like:

(&(objectCategory=user)(memberOf=cn=MyCustomGroup,ou=ouOfGroup,dc=subdomain,dc=domain,dc=com)) 

If you don't yet have the distinguished name, you can search for it with:

(&(objectCategory=group)(cn=myCustomGroup)) 

and return the attribute distinguishedName. Case may matter.

Answer 2

For Active Directory users, an alternative way to do this would be -- assuming all your groups are stored in OU=Groups,DC=CorpDir,DC=QA,DC=CorpName -- to use the query (&(objectCategory=group)(CN=GroupCN)). This will work well for all groups with less than 1500 members. If you want to list all members of a large AD group, the same query will work, but you'll have to use ranged retrieval to fetch all the members, 1500 records at a time.

The key to performing ranged retrievals is to specify the range in the attributes using this syntax: attribute;range=low-high. So to fetch all members of an AD Group with 3000 members, first run the above query asking for the member;range=0-1499 attribute to be returned, then for the member;range=1500-2999 attribute.