Active Directory成员的membersOf组（嵌套的memberOf） [英] Active Directory membersOf membersOf Group (nested memberOf)

问题描述

让我从Active Directory的基本布局开始：

Let me start with a basic layout of our Active Directory:

DC=com
    DC=example
        OU=Groups
            CN=MaxGroups
            CN=MaxAdmins
            CN=MaxSupers
            CN=MaxTechs
            ...
        OU=ServiceAccounts
            CN=maxadmin
            CN=maxreg
            CN=mxintadm
            ...
        OU=Users
            CN=userA
            CN=userB
            ...

我们的配置方式是MaxAdmins组，MaxSupers组和MaxTechs组是MaxGroups组的所有成员（我们必须以此方式来满足某些公司准则）。我们有3个服务帐户（maxadmin，maxreg和mxintadm）以及属于这三个组（MaxAdmins，MaxSupers和MaxTechs）之一的一堆用户。我需要开发的是两个查询。一种是获取组（很简单），一种是获取属于这些组之一的所有用户。

The way we have it configured is that the MaxAdmins group, MaxSupers group, and MaxTechs group are all members of the MaxGroups group (we HAD to do it this way to meet certain company guidelines). We have 3 services accounts (maxadmin, maxreg, and mxintadm) as well as a bunch of users that are members of one of those three groups (MaxAdmins, MaxSupers, and MaxTechs). What I needed to develop was two queries. One to get the groups (that was easy) and one to get all the users that are members of one of those groups.

现在我知道我可以做一个用户查询，例如：

Now I know that I could do a User query like:

(&
    (objectcategory=user)
    (|
        (memberOf=CN=MaxAdmins,...)
        (memberOf=CN=MaxSuper,...)
        (memberOf=CN=MaxTech,...)
    )
)

但是，在将来，我们可能会添加更多的组，而我不想继续使用更多或组更新用户查询。我想像下面这样的伪代码来做到这一点：

However, in the future, we may be adding more groups and I don't want to have to keep updating the User query with more "OR"'d groups. I'd like to do it like this "pseudocode" below:

Users that are members of a group that is a member of MaxGroups.

本质上，我想要一个查询，该查询将查找属于MaxGroups的所有组，然后查找任何这些组中任何一个的用户。这可能吗？我在Google搜索 nested memberOf中遇到的所有事情都是关于尝试生成用户所属的所有组的列表，而不是生成属于该组成员的用户的列表！

Essentially I want a query that would find all groups that are part of MaxGroups and then a list of any user that is a member of any of those groups. Is this possible? Everything I've come across in a ton of Google search for "nested memberOf" is about trying to generate a list of all groups that a user is a member of, NOT a list of users that are members of a member of a group!

任何帮助都将不胜感激！

Any and all help would be greatly appreciated!

谢谢！

推荐答案

看看链内匹配规则- https://msdn.microsoft.com/zh-CN/library/aa746475（v = vs.85）.aspx 。这将为您提供所需的东西。

Take a look at the in-chain matching rule - https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx. This will get you what you want.

这篇关于Active Directory成员的membersOf组（嵌套的memberOf）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！