Has anyone had luck querying Active Directory with LDAP (cfldap) to return all of a user's groups including nested groups? I can query for the 'memberOf' attribute on a user no problem. But that attribute does not include nested group memberships. I have found several references online that Microsoft includes an OID specifically for this purpose. That OID is

1.2.840.113556.1.4.1941

. But I cannot get cfldap to return any results when using a filter as recommended on those articles. Here is one from Microsoft. https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN That says midway down that page: Similarly, to find all the groups that "user1" is a member of, set the base to the groups container DN; for example (OU=groupsOU, dc=x) and the scope to subtree, and use the following filter. (member1.2.840.113556.1.4.1941=cn=user1,cn=users,DC=x) Note that when using LDAP_MATCHING_RULE_IN_CHAIN, scope is not limited—it can be base, one-level, or subtree. Some such queries on subtrees may be more processor intensive, such as chasing links with a high fan-out; that is, listing all the groups that a user is a member of. Inefficient searches will log appropriate event log messages, as with any other type of query.