Home Get groups of a user from Active Directory from PC that is NOT part of domain
Reply: 0

Get groups of a user from Active Directory from PC that is NOT part of domain

user2349
1#
user2349 Published in April 26, 2018, 5:16 pm

I need to get a list of groups a special user is member of. Normally I can do that using NetUserGetGroups, here's the code:

function GetLDapUserGroups(UserName, DomainName : string) : TStringList;
var bufptr : Pointer;
  ServerName : String;
  EntriesRead : DWord;
  TotalEntries : DWord;
  buf : Pbyte;
  PGlobalGroupInfo : PGroupInfo0;
  i : integer;
begin
     result:=TStringList.Create;

     // get servername
     // if problems occur maybe set param2 to nil
     bufptr := nil;
     NetGetAnyDCName(nil, PWideChar(DomainName), bufptr);
     ServerName := PWideChar(bufptr);
     Delete(ServerName, 1, 2);  // remove starting '\\' from server Name

     if NetUserGetGroups( PWideChar(ServerName), PWideChar(UserName), 0, buf, MAX_PREFERRED_LENGTH,
                          @EntriesRead, @TotalEntries)=NERR_SUCCESS then
     begin
          PGlobalGroupInfo := PGroupInfo0(buf);

          // Store group names in list
          for i:=0 to EntriesRead - 1 do
          begin
               result.Add(PGlobalGroupInfo^.grpi0_name);
               inc(PGlobalGroupInfo);
          end;
     end;
     NetAPIBufferFree(buf);
end;

but this does not work, if my program is running on a PC that is not part of the AD-domain. Obviously it's possible, I tried using LDAP Administrator (by Softerra), and there it works.

I tried:

  • JclWin32.NetUserGetGroups - Nope. (I can understand this does not work, I can't pass the users password here. Works fine from PC that is on domain)
  • JwaLmAccess.NetUserGetLocalGroups - Nope. Also no possiblity to pass password
  • NetApi.GetNetUserGroups - same story here
  • CreateOleObject('ADODB.Command')... - Nope

I just managed to check the password from non-domain-PC (see Check username/password in Active Directory from PC that is NOT part of domain ), so I tried executing the commands when signed on, but this also failed.

Looking around in the Jedi sources, I came across the function "JwaWinLDAP.ldap_search_sW". For me that smells promising as I could pass the LDap-token from the sign-on. However, I didn't find any code samples on how to search a users groups. Is this function the way I should continue to look at?

Can anyone push me in the right direction please? :) Thanks!

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.341283 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO