Read JIT group memberships

You are here:
< Back

LDP.EXE with Custom Control 1.2.840.113556.1.4.2309 (LDAP_SERVER_LINK_TTL_OID) (based on https://secureidentity.se/msds-shadowprincipal/)

Works with expanding tree or “Advanced” or “Asynchronous” searches:

$dc = "devdc01.esmobile.metabpa.org"
$rootDN = "OU=ESMOBILE,DC=esmobile,DC=metabpa,DC=org"
$filter = "(objectClass=group)"
[string[]] $attributesToGet = @("member","name")
[void] ([System.Reflection.Assembly]::LoadWithPartialName('System.DirectoryServices.Protocols'))
[DirectoryServices.Protocols.LdapConnection] $ldapConn = New-Object DirectoryServices.Protocols.LdapConnection($dc)

$ldapConn.AuthType = [DirectoryServices.Protocols.AuthType]::Kerberos
[System.DirectoryServices.Protocols.DirectoryControl]$jit_ctr = New-Object System.DirectoryServices.Protocols.DirectoryControl("1.2.840.113556.1.4.2309",$val,$true,$true)
[DirectoryServices.Protocols.SearchRequest] $ldapRequest = New-Object DirectoryServices.Protocols.SearchRequest($rootDN, $filter, 'SubTree', $attributesToGet)
$ldapRequest.Controls.Add($jit_ctr)
[DirectoryServices.Protocols.SearchResponse] $ldapResponse = $null
$ldapResponse = $ldapConn.SendRequest($ldapRequest)
foreach ($entry in $ldapResponse.Entries) {
    $entry.DistinguishedName
    foreach ($mship in $entry.Attributes['member']) {
        $mstring = [System.Text.Encoding]::UTF8.GetString($mship)
        if ($mstring -match "^<TTL=(\d+)>,") {
            $mstring
        }
    }
}