Home Get groups of a user from Active Directory from PC that is NOT part of domain
Reply: 1

Get groups of a user from Active Directory from PC that is NOT part of domain

ralfiii
1#
ralfiii Published in 2018-01-10 15:12:48Z

I need to get a list of groups a special user is member of. Normally I can do that using NetUserGetGroups, here's the code:

function GetLDapUserGroups(UserName, DomainName : string) : TStringList;
var bufptr : Pointer;
  ServerName : String;
  EntriesRead : DWord;
  TotalEntries : DWord;
  buf : Pbyte;
  PGlobalGroupInfo : PGroupInfo0;
  i : integer;
begin
     result:=TStringList.Create;

     // get servername
     // if problems occur maybe set param2 to nil
     bufptr := nil;
     NetGetAnyDCName(nil, PWideChar(DomainName), bufptr);
     ServerName := PWideChar(bufptr);
     Delete(ServerName, 1, 2);  // remove starting '\\' from server Name

     if NetUserGetGroups( PWideChar(ServerName), PWideChar(UserName), 0, buf, MAX_PREFERRED_LENGTH,
                          @EntriesRead, @TotalEntries)=NERR_SUCCESS then
     begin
          PGlobalGroupInfo := PGroupInfo0(buf);

          // Store group names in list
          for i:=0 to EntriesRead - 1 do
          begin
               result.Add(PGlobalGroupInfo^.grpi0_name);
               inc(PGlobalGroupInfo);
          end;
     end;
     NetAPIBufferFree(buf);
end;

but this does not work, if my program is running on a PC that is not part of the AD-domain. Obviously it's possible, I tried using LDAP Administrator (by Softerra), and there it works.

I tried:

  • JclWin32.NetUserGetGroups - Nope. (I can understand this does not work, I can't pass the users password here. Works fine from PC that is on domain)
  • JwaLmAccess.NetUserGetLocalGroups - Nope. Also no possiblity to pass password
  • NetApi.GetNetUserGroups - same story here
  • CreateOleObject('ADODB.Command')... - Nope

I just managed to check the password from non-domain-PC (see Check username/password in Active Directory from PC that is NOT part of domain ), so I tried executing the commands when signed on, but this also failed.

Looking around in the Jedi sources, I came across the function "JwaWinLDAP.ldap_search_sW". For me that smells promising as I could pass the LDap-token from the sign-on. However, I didn't find any code samples on how to search a users groups. Is this function the way I should continue to look at?

Can anyone push me in the right direction please? :) Thanks!

R. Hoek
2#
R. Hoek Reply to 2018-01-15 08:01:51Z

Before you can query the AD, you must first logon with a user that has rights to access that AD.

Using an token based on local user logon, will almost surely not give you access to querying the AD.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.305729 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO