3.48.6. GroupUserBindString Previous topic Parent topic Child topic Next topic

This optional parameter is used to generate an ADSI user name identifier when checking group membership through a Group= check item. Defaults to ‘WinNT://%1’ (i.e. the named user). Special characters can be used, and %0 is replaced with the name of the group being checked, and %1 with the name of the user whose group membership is being checked.
This example checks whether an NT user in the OSC domain is in an NT Group in the OSC domain:
GroupBindString WinNT://OSC/%0,Group
GroupUserBindString WinNT://OSC/%1
This example checks whether the active directory user identified by GroupUserBindString is in the group defined by GroupBindString.
GroupBindString LDAP://cn=%0,dc=open,dc=com,dc=au
GroupUserBindString LDAP://cn=%1,cn=Users,dc=open,dc=com,dc=au
With AD, do not confuse Organizational Unit with group membership. They are different ideas. A user can be in one OU, but be a member of multiple groups. Use GroupBindString, GroupUserBindString and the Group= check item to check for AD group members.