cancel
Showing results for 
Search instead for 
Did you mean: 

Create Watchlist populated with members of Active Directory Group

I am seeking to create a new Watchlist which is automatically populated with the Usernames of the members of a specified group within Active Directory.

Within Add Watchlist, I have selected the following:

Main Tab --> Dynamic

Source Tab --> LDAP

Query Tab --> ???

Values Tab --> Source User

I am seeking assistance by seeing an example to enter into the Query box on the Query Tab, with sAMAccountName entered as the Lookup Attribute.

Thank you.

12 Replies
staschler
Level 13
Report Inappropriate Content
Message 2 of 13

Re: Create Watchlist populated with members of Active Directory Group

Here are a few sample AD queries:

Disabled User accounts

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

All users belonging to a particular named group (in this case SIEM)

(&(objectcategory=Person)(memberof=CN=SIEM,CN=Users,DC=MY-LAB,DC=com)(sAMAccountName=*))

All members of the Domain Admin Group

(&(objectcategory=Person)(memberof=CN=Domain Admins,CN=Users,DC=MY-LAB,DC=com)(sAMAccountName=*))

Re: Create Watchlist populated with members of Active Directory Group

Worked perfect, thank you!

Re: Create Watchlist populated with members of Active Directory Group

A follow up question:

I also need to populate a Watchlist with the sAMAccountName of the members of an OU. When I execute the following string, I do NOT receive an error. Rather, the query comes back blank, even though there are indeed user accounts located in the specified OU.

Please help me identify the error in my below query so I can correct it?

Thank you.

(&(objectcategory=Person)(memberof=OU=PrivilegedUsers,OU=North,DC=ChildDom,DC=RootDom,DC=com)(sAMAccountName=*))

Message was edited by: planting_acorns on 1/23/14 3:39:27 PM CST
mepplin
Level 9
Report Inappropriate Content
Message 5 of 13

Re: Create Watchlist populated with members of Active Directory Group

Here is an example of an enrichment query I have to create a list of users who belong to a specific OU, in this case a group called compliance.

(memberof=CN=compliance,CN=Users,DC=mfe,DC=demo,dc=local)

The lookup attribute is set to sAMAccountName as well. The end of your query with the sAMAccountName=* is repetitive, as when we generate the query, the lookup attribute gets appended to the query.

Try your query as follows and it should work for you:

(objectcategory=Person)(memberof=OU=PrivilegedUsers,OU=North,DC=ChildDom,DC=Ro otDom,DC=com)

You may also need to change the OU= to CN=. While it is technically an OU, it may be represented as a Common Name in your AD schema.

Mike

rth67
Level 12
Report Inappropriate Content
Message 6 of 13

Re: Create Watchlist populated with members of Active Directory Group

This feature does not work when trying to pull members of a given OU. I tried it last year, could not get it to work, opened a support ticket, they could not get it to work, escalated to Tier 3, they could not get it to work. The told me to open a PER, not the answer I was looking for.

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 7 of 13

Re: Create Watchlist populated with members of Active Directory Group

Hi rth67,

To clarify your need for searching within OUs, the ESM will query from the root of the LDAP tree. In order to query an OU, we need the ability to change the base DN in the ESM. This will allow you to query for objects within a specific OU.

Filtering for an OU is not possible using the query syntax given above.

Just thought I'd add that in case you wanted to add it to the PER. It's similar to what you someone asked about here (Microsoft link -- ldap_query all users ine one OU).

, when querying LDAP, the LDAP server expects the DN syntax, otherwise the user@domain works too. I would suggest simplifiying your query. Here is a list of common queries that might help with understanding the syntax:

Common LDAP Queries

If you run a tcpdump on the ESM, you should see what the error is as well.

Best Regards,

Jon

rth67
Level 12
Report Inappropriate Content
Message 8 of 13

Re: Create Watchlist populated with members of Active Directory Group

Just a side note - pulling the members of a Group is possible, however pulling the users that reside in a given OU is not supported by Microsoft.

Re: Create Watchlist populated with members of Active Directory Group

Every time I try to do this, I get an error:  Received malformed data (ER1010)

Using ESM 9.5

siemSCR.png

Can anyone help?

feeeds
Level 9
Report Inappropriate Content
Message 10 of 13

Re: Create Watchlist populated with members of Active Directory Group

I am still working to getting the query to work, but I did get the "received malformed data" error to go away.  Change the authentication to be user@domain.com   vs just the AD user. Once I did that it seemed to be accepted by AD, just that my query syntax is still wrong.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community