In Active Directory LDAP queries there is a concept known as Matching Rules…
From MSDN:
…LDAP defines two matching rule object identifiers (OIDs) that can be used to perform bitwise comparisons of numeric values.
What does that mean? Well it means that we can use matchinng rule operator to look for group membership recursively. The rule LDAP_MATCHING_RULE_IN_CHAIN allows us to search member (on group objects), or memberOf (on user objects) to resolve group memberships.
To search for all groups that a user is a member of…
|
|
To search for all users that are a member of a group…
|
|
Note: You may need to supply a credential when querying group membership depending on the security configuration of your domain.