Query AD Group Membership Recursively Through SQL
Background
I\'m creating some SQL to assist with security auditing; this will take security info from various systems databases and from Active Dire
-
Though this is an old post, Google still likes to toss it to the top of the results, so as I struggled with this same problem a great deal, I wanted to post my findings/solution, with credit to Riverway for getting me on the right track.
Create a Stored Procedure:
CREATE PROCEDURE [dbo].[GetLdapUserGroups] ( @LdapUsername NVARCHAR(max) ) AS BEGIN DECLARE @Query NVARCHAR(max), @Path NVARCHAR(max) SET @Query = ' SELECT @Path = distinguishedName FROM OPENQUERY(ADSI, '' SELECT distinguishedName FROM ''''LDAP://DC=DOMAIN,DC=COM'''' WHERE objectClass = ''''user'''' AND sAMAccountName = ''''' + @LdapUsername + ''''' '') ' EXEC SP_EXECUTESQL @Query, N'@Path NVARCHAR(max) OUTPUT', @Path = @Path OUTPUT SET @Query = ' SELECT cn AS [LdapGroup] FROM OPENQUERY (ADSI, ''Then, call your SP by just passing the username:
DECLARE @UserGroup table (LdapGroup nvarchar(max)) INSERT INTO @UserGroup exec Datamart.dbo.GetLdapUserGroups @LdapUserI'm then using a hash table to correctly match the AD group to the SQL data and what the end user should see.
DECLARE @RptPermissions table (ldapGroup nvarchar(max),scholarshipCode nvarchar(50),gender nvarchar(2)) INSERT INTO @RptPermissions VALUES('EMP_Enrollment_Admissions','ALL','MF')In my case, I'm using this to pull the SSRS user variable and pass it into the query for selecting the records based on AD group membership.
;WITH CTE_Permissions AS ( SELECT p.scholarshipCode ,p.gender FROM @UserGroup AS g JOIN @RptPermissions AS p ON g.ldapGroup = p.ldapGroup )... Later in the query
JOIN CTE_Permissions AS p ON s.SCHOLARSHIP_ID = p.scholarshipCode OR p.scholarshipCode = 'ALL'Hope this helps.
加载中...
- 热议问题