How to Query Active Directory Group Members Without Domain Admin Privileges or DC Access


2 views

When working in enterprise environments, you often need to check Active Directory group memberships but might lack domain admin rights or direct access to domain controllers. This is common for developers writing automation scripts or troubleshooting applications.

Here are several approaches you can use depending on your environment:

1. Using ADSI with Limited Permissions

Even with standard user permissions, you can often query basic group information:

# PowerShell example
$group = [ADSI]"LDAP://CN=Developers,OU=Groups,DC=domain,DC=com"
$group.Member | ForEach-Object {
    [ADSI]"LDAP://$_" | Select-Object sAMAccountName, distinguishedName
}

2. Utilizing Global Catalog

The Global Catalog (port 3268) often allows limited queries:

# C# example using DirectorySearcher
using (DirectoryEntry entry = new DirectoryEntry("GC://dc=domain,dc=com"))
{
    using (DirectorySearcher searcher = new DirectorySearcher(entry))
    {
        searcher.Filter = "(&(objectCategory=group)(cn=Developers))";
        searcher.PropertiesToLoad.Add("member");
        
        SearchResult result = searcher.FindOne();
        if (result != null)
        {
            ResultPropertyValueCollection members = result.Properties["member"];
            foreach (string member in members)
            {
                Console.WriteLine(member);
            }
        }
    }
}

3. Delegated Permissions via Application

If you're developing an application, request read-only permissions to specific groups:

// Python example with ldap3
from ldap3 import Server, Connection, ALL

server = Server('ldap://domain.com', get_info=ALL)
conn = Connection(server, user='app_user@domain.com', password='password', auto_bind=True)
conn.search('dc=domain,dc=com', '(cn=Developers)', attributes=['member'])

for entry in conn.entries:
    print(entry.member.values)

If queries fail, check these potential roadblocks:

  • Network connectivity to domain controllers
  • DNS resolution of domain names
  • Firewall rules blocking LDAP (389) or Global Catalog (3268) ports
  • Account lockout policies affecting service accounts

Always follow these best practices:

  • Never hardcode credentials in scripts
  • Use encrypted connections (LDAPS on 636 or GC over SSL on 3269)
  • Request only the minimum permissions needed
  • Cache results when possible to reduce AD queries

When troubleshooting access issues or auditing security groups in Active Directory, you often need to check group membership without having Domain Admin privileges or direct access to domain controllers. This is a common scenario for helpdesk staff, application owners, or security analysts.

The most practical approach is using PowerShell with the ActiveDirectory module, which can query AD from any domain-joined machine:


# Basic group membership query
Get-ADGroupMember -Identity "FinanceTeam" -Recursive |
Select-Object name, objectClass | Format-Table -AutoSize

# Alternative using Get-ADGroup with -Properties Members
Get-ADGroup -Identity "FinanceTeam" -Properties Members |
Select-Object -ExpandProperty Members |
Get-ADObject | Select-Object Name, ObjectClass

For environments where the AD module isn't available, use LDAP queries:


$searcher = [System.DirectoryServices.DirectorySearcher]::new()
$searcher.Filter = "(&(objectCategory=group)(cn=FinanceTeam))"
$searcher.PropertiesToLoad.Add("member")

$result = $searcher.FindOne()
$result.Properties["member"]

If PowerShell isn't an option, consider these alternatives:

  • ADExplorer from Sysinternals - Works with standard user credentials
  • ADUC (Active Directory Users and Computers) console with proper delegated permissions
  • DSQuery command-line tool (legacy but still effective)

The ability to view group members depends on these AD permissions:

  • Read permissions on the group object
  • List Contents permission
  • Read Members permission (for nested groups)

Standard users typically have these permissions for most groups.

Here's how to build a complete reporting script that accounts for potential permission issues:


function Get-GroupMembersRecursive {
    param (
        [string]$GroupName,
        [int]$Depth = 5
    )
    
    try {
        $group = Get-ADGroup -Identity $GroupName -Properties Member
        $members = $group.Member | ForEach-Object {
            $object = Get-ADObject $_ -Properties objectClass
            if ($object.objectClass -eq 'group' -and $Depth -gt 0) {
                Get-GroupMembersRecursive -GroupName $object.Name -Depth ($Depth - 1)
            }
            else {
                $object | Select-Object Name, ObjectClass, DistinguishedName
            }
        }
        return $members
    }
    catch {
        Write-Warning "Error processing $GroupName : $_"
    }
}

# Usage
Get-GroupMembersRecursive -GroupName "ProjectTeam" | Export-CSV -Path "GroupMembers.csv" -NoTypeInformation
  • Use -Credential parameter if running under different security context
  • Add -Server parameter to specify a domain controller
  • For large groups, implement pagination with -ResultPageSize
  • Use -ErrorAction SilentlyContinue for partial results when some objects are inaccessible