Skip to main content
Kinetic Community

Listing AD Groups for a User When Only SAMAccountName is Known

AD Group Menu First challenge: List all of the Active Directory groups the logged in user belongs to in a menu Second challenge: Do this only knowing their short/'samaccount' username This article addresses both these issues at once, showing how to search the AD for groups, and how to do it when only knowing the SAMAccount username.

Usage

Solving this is just a two step process during execution:

Step 1: Retreive the user's DN (Distingished Name) using their SAMAccount name, placing it somewhere it can then be accessed/used

Step 2: Retreive ther user's groups using that DN and placing them in the menu.

But it takes a few more steps to set up the process:

Step 1: Install a bridge to the relevant LDAP if there is not one installed already.

Step 2: Import the attached Employee and Group (LDAP) Models and associated mappings. Be sure to update the Bridge Name in the mappings to be the name of the bridge you have installed in your system.

In the system used in this example, the user's Remedy Login ID is their sAMAccountName. This is used in the By Login Qualification mapping to find their DN (distinguished name). To get down into the nuts and bolts a little, the full query looks like this

(&(objectCategory=Person)(sAMAccountName=<%=parameter["Login"]%>)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Searching for a person object with the Login ID equal to the sAMAccountName. This part of the query: (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) means "The account is not disabled. Details on this type of searching in Active Directory can be found here.

The group query searches for group using the DN .

(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=<%=parameter["dn"]%>))

What does 1.2.840.113556.1.4.1941 mean? Means search recursively...So if the user is a member of the DL - Engineering group and the DL - Engineering group is is a member of the DL - All Employees group, then both DL - Engineering & DL - All Employees will be returned back instead of just DL - Engineering. Some more details about LDAP Searching and filters can be found here.

Step 3: Set up a question with an advanced default that uses the employee bridge to grab the logged in user's DN using the username/Login ID they used to log in.

ExampleDNQuestion.png

Step 4: Set up an on Load event on the page to populate the desired menu with the groups, using that defaulted question as the parameter value for the group LDAP bridge.

ExampleLoadEvent.png

Example

This attached service item and pair of bridges models/mappings are an example of this. This service item is not in any catalog, you'll want to attach it into one of your sandbox/development catalogs if you want to test it out. 

A reminder that this example expects the sAMAccountName to equal the Remedy Login ID. If this is not the case in your system, you'll need to modify this example to match your system's requirements before it will work.