Finding Recursive AD Memberships

by Dec 30, 2015

In AD, there is a strange-looking filter: 1.2.840.113556.1.4.1941. It is called "matching rule in chain" and can be used to quickly find nested memberships.

All you need is the DN of a member. Then, you can use it like this:

#requires -Version 1 -Modules ActiveDirectory 

$DN = 'place DN here!'
Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=$($DN))"

Since this is a native LDAP filter, you can even use it without the ActiveDirectory module, resorting to native .NET methods:

$DN = 'place DN here!'
$strFilter = "(member:1.2.840.113556.1.4.1941:=$DN)"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry('LDAP://rootDSE')
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = "LDAP://$($objDomain.rootDomainNamingContext)"
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = 'Subtree'
$colProplist = 'name'
foreach ($i in $colPropList){
  $null = $objSearcher.PropertiesToLoad.Add($i)
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
  $objItem = $objResult.Properties

Twitter This Tip! ReTweet this Tip!