SQL 查询 运行 LDAP 查询 return 活动用户的 AD 列表,然后是他们分配到的以 GRP-XP% 开头的组
SQL query to run LDAP query to return AD listing of active users and then groups they are assigned to that start with GRP-XP%
我正在尝试编写一个 sql 语句来控制一个报告 header select 多个数据库的离子由用户分配到的用户组。这是为了在 运行 SSRS 报告时限制数据库 selection 安全性,以便他们只能 select 他们有权访问的分支或分支组。到目前为止,我可以 return 单个用户的组结果。我正在尝试获取类似于 GRP-XP% 的所有活动 AD 用户和组的列表。到目前为止,这是我的脚本,仅适用于单个用户名。最终这个 table 将被传递给 PowerBI,所以我需要用户名,用户组 table 列表完成。
Declare @username varchar(max) = 'ssmith'
DECLARE @Query NVARCHAR(1024), @Path NVARCHAR(1024)
SET @Query = '
SELECT @Path = distinguishedName
FROM OPENQUERY(CSAD, ''
SELECT distinguishedName, SAMAccountName
FROM ''''LDAP://DC=Domain,DC=co, dc=uk''''
WHERE
objectClass = ''''user''''
AND sAMAccountName = ''''' + Replace(@Username, 'domain\', '') + '''''
'')
'
EXEC SP_EXECUTESQL @Query, N'@Path NVARCHAR(1024) OUTPUT', @Path = @Path OUTPUT
SET @Query = '
SELECT
Replace(Right(cn, Len(cn)-7), '' '', '' '')
FROM OPENQUERY (CSAD, ''<LDAP://DC=Domain,DC=co,DC=uk>;(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=' + @Path +'));cn, adspath;subtree'')
where CN like ''GRP-XP%''
Order By cn'
Declare @table Table (Name varchar(100))
Insert into @table
EXEC SP_EXECUTESQL @Query
select * from @table
所以结果应该是这样的;
谢谢
我找到了一些我多年前写的代码。我无法对其进行测试,因为我们不再使用本地 AD 域控制器,但它确实在某些时候有效。
它基本上是 returns 所有用户和相关组的列表,因此应该很容易根据您的需要进行修改。
ALTER PROC [AD].[Get_AD_AllUsersWithGroups]
AS
DECLARE @Query NVARCHAR(1024), @Path NVARCHAR(1024)
DECLARE @distinguishedName nvarchar(256)
DECLARE @SAMAccountName nvarchar(256)
CREATE TABLE #users (distinguishedName nvarchar(1000), SAMAccountName nvarchar(100))
CREATE TABLE #results(SAMAccountName nvarchar(100), DistinguishedName nvarchar(1000), GroupName nvarchar(1000), ActiveDirectoryPath nvarchar(1000))
-- Get all the users from AD
SET @Query = '
SELECT distinguishedName, SAMAccountName
FROM OPENQUERY(ADSI, ''
SELECT distinguishedName , SAMAccountName
FROM ''''LDAP://DC=MyDomain,DC=local''''
WHERE
objectClass = ''''user''''
'')
'
INSERT INTO #users
EXEC SP_EXECUTESQL @Query
-- For each user in #users, get a list of groups they belong to
DECLARE cUsers CURSOR FOR
SELECT distinguishedName, SAMAccountName from dbo.#users u
order by u.distinguishedName
OPEN cUsers
FETCH NEXT FROM cUsers
INTO @distinguishedName, @SAMAccountName
WHILE @@FETCH_STATUS = 0
BEGIN
SET @distinguishedName = REPLACE(@distinguishedName, '''', '''''')
SET @SAMAccountName = REPLACE(@SAMAccountName, '''', '''''')
SET @Query = '
INSERT INTO #results
SELECT ''' + @SAMAccountName + ''', ''' + @distinguishedName + ''', cn as GroupName, AdsPath AS ActiveDirectoryPath
FROM OPENQUERY (ADSI, ''<LDAP://DC=MyDomain,DC=local>;(&(objectClass=group)(member:1.2.840.113556.1.4.1941:='
+ @distinguishedName +'));cn, adspath;subtree'')'
EXEC SP_EXECUTESQL @Query
FETCH NEXT FROM cUsers
INTO @distinguishedName, @SAMAccountName
END
CLOSE cUsers
DEALLOCATE cUsers
SELECT * FROM dbo.#results r
GO
我正在尝试编写一个 sql 语句来控制一个报告 header select 多个数据库的离子由用户分配到的用户组。这是为了在 运行 SSRS 报告时限制数据库 selection 安全性,以便他们只能 select 他们有权访问的分支或分支组。到目前为止,我可以 return 单个用户的组结果。我正在尝试获取类似于 GRP-XP% 的所有活动 AD 用户和组的列表。到目前为止,这是我的脚本,仅适用于单个用户名。最终这个 table 将被传递给 PowerBI,所以我需要用户名,用户组 table 列表完成。
Declare @username varchar(max) = 'ssmith'
DECLARE @Query NVARCHAR(1024), @Path NVARCHAR(1024)
SET @Query = '
SELECT @Path = distinguishedName
FROM OPENQUERY(CSAD, ''
SELECT distinguishedName, SAMAccountName
FROM ''''LDAP://DC=Domain,DC=co, dc=uk''''
WHERE
objectClass = ''''user''''
AND sAMAccountName = ''''' + Replace(@Username, 'domain\', '') + '''''
'')
'
EXEC SP_EXECUTESQL @Query, N'@Path NVARCHAR(1024) OUTPUT', @Path = @Path OUTPUT
SET @Query = '
SELECT
Replace(Right(cn, Len(cn)-7), '' '', '' '')
FROM OPENQUERY (CSAD, ''<LDAP://DC=Domain,DC=co,DC=uk>;(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=' + @Path +'));cn, adspath;subtree'')
where CN like ''GRP-XP%''
Order By cn'
Declare @table Table (Name varchar(100))
Insert into @table
EXEC SP_EXECUTESQL @Query
select * from @table
所以结果应该是这样的;
谢谢
我找到了一些我多年前写的代码。我无法对其进行测试,因为我们不再使用本地 AD 域控制器,但它确实在某些时候有效。
它基本上是 returns 所有用户和相关组的列表,因此应该很容易根据您的需要进行修改。
ALTER PROC [AD].[Get_AD_AllUsersWithGroups]
AS
DECLARE @Query NVARCHAR(1024), @Path NVARCHAR(1024)
DECLARE @distinguishedName nvarchar(256)
DECLARE @SAMAccountName nvarchar(256)
CREATE TABLE #users (distinguishedName nvarchar(1000), SAMAccountName nvarchar(100))
CREATE TABLE #results(SAMAccountName nvarchar(100), DistinguishedName nvarchar(1000), GroupName nvarchar(1000), ActiveDirectoryPath nvarchar(1000))
-- Get all the users from AD
SET @Query = '
SELECT distinguishedName, SAMAccountName
FROM OPENQUERY(ADSI, ''
SELECT distinguishedName , SAMAccountName
FROM ''''LDAP://DC=MyDomain,DC=local''''
WHERE
objectClass = ''''user''''
'')
'
INSERT INTO #users
EXEC SP_EXECUTESQL @Query
-- For each user in #users, get a list of groups they belong to
DECLARE cUsers CURSOR FOR
SELECT distinguishedName, SAMAccountName from dbo.#users u
order by u.distinguishedName
OPEN cUsers
FETCH NEXT FROM cUsers
INTO @distinguishedName, @SAMAccountName
WHILE @@FETCH_STATUS = 0
BEGIN
SET @distinguishedName = REPLACE(@distinguishedName, '''', '''''')
SET @SAMAccountName = REPLACE(@SAMAccountName, '''', '''''')
SET @Query = '
INSERT INTO #results
SELECT ''' + @SAMAccountName + ''', ''' + @distinguishedName + ''', cn as GroupName, AdsPath AS ActiveDirectoryPath
FROM OPENQUERY (ADSI, ''<LDAP://DC=MyDomain,DC=local>;(&(objectClass=group)(member:1.2.840.113556.1.4.1941:='
+ @distinguishedName +'));cn, adspath;subtree'')'
EXEC SP_EXECUTESQL @Query
FETCH NEXT FROM cUsers
INTO @distinguishedName, @SAMAccountName
END
CLOSE cUsers
DEALLOCATE cUsers
SELECT * FROM dbo.#results r
GO