Re: Querying AD for Group information (type/scope)

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

For example, to query for all distribution groups ("|" is the NOT operator):

(&(objectCategory=group)(!groupType:1.2.840.113556.1.4.803:=2147483648))



To query for all security groups:



(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))



To query for all global security groups:



(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2))



To query for all users that have "Domain Users" designated as their
"primary" group:



(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))



To query for all users that have some group other than "Domain Users"
designated as their "primary":



(&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))



A VBScript function I use to determine the group type:

==================

Set objGroup = GetObject("LDAP://cn=TestGroup,ou=West,dc=MyDomain,dc=com";)

Wscript.Echo "Group " & objGroup.Name & " is type " &
GetType(objGroup.groupType)



Function GetType(ByVal intType)
' Function to determine group type from the GroupType attribute.
If ((intType And &h01) <> 0) Then
GetType = "Built-in"
ElseIf ((intType And &h02) <> 0) Then
GetType = "Global"
ElseIf ((intType And &h04) <> 0) Then
GetType = "Local"
ElseIf ((intType And &h08) <> 0) Then
GetType = "Universal"
End If
If ((intType And &h80000000) <> 0) Then
GetType = GetType & "/Security"
Else
GetType = GetType & "/Distribution"
End If
End Function
================

Finally, the memberOf attributes of users and the member attribute of groups
does not include "primary" group membership. Instead, the primaryGroupID of
the user object designates the primary group. The value equals the
corresponding value of the primaryGroupToken of the "primary" group. The
group "Domain Users" has primaryGroupToken equal to 513, so all users with
primaryGroupID equal to 513 belong to the "Domain Users" group. For computer
objects the "primary" group (by default) is "Domain Computers", which has
primaryGroupToken equal to 515. The default "primary" group for DC's is
"Domain Controllers", which has primaryGroupToken equal to 516.


--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--



"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:uBd9ImEEIHA.1164@xxxxxxxxxxxxxxxxxxxxxxx
Hi ATC,
The "type" of a group is held in the groupType attribute which you can
ascertain with a query.
Values for the different group types are:

2 Global distribution group

4 Domain local distribution group

8 Universal distribution group

-2147483646 Global security group

-2147483644 Domain local security group

-2147483640 Universal security group

The reason the member attribute of the "Domain users" and some other
System Groups is empty is because for these groups, to get round the 5k
membership limit for groups, AD does not write a forward link for the
"primaryGroupID" of the user and membership is implied.
See: http://support.microsoft.com/kb/275523

Regards,

Austin

"ATC" <ATC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:02CBD7C4-9289-4844-848A-63DD7E856272@xxxxxxxxxxxxxxxx
Is there a way to use an LDAP query to return the type (Security vs
Distribution) and scope (Local vs Global vs Universal) of a group?

Also, are some group memberships "calculated" (not sure of correct term)
instead of stored in the "member" attribute? Because I've noticed that
some
groups like "Domain Users" and "Domain Controllers" have nothing listed
in
their "member" attribute even though they have compuers or people listed
as
members when looking at their memberships via the admin console.

Thanks!



.

Relevant Pages

  • Re: Querying AD for Group information (type/scope)
    ... To Query for Distribution groups: ... To query for all users that have some group other than "Domain Users" ... users with primaryGroupID equal to 513 belong to the "Domain Users" group. ... The reason the member attribute of the "Domain users" and some other ...
    (microsoft.public.windows.server.active_directory)
  • LDAP query to retrieve all users in some groups or under some OU?
    ... I want to create a query in my 2003 AD. ... I want to list all the users which are member of a particular set of groups, ... All user under all OU which contain the word "sales" ... I have also a group called "All sales security group" which contain all the ...
    (microsoft.public.windows.server.active_directory)
  • RE: Hotel Booking Project Delemma
    ... you can add the DISTINCT clause in the query serving data to the report. ... > I am having a dilemma with a Hotel Booking Project which is ... > In the tblHotelBookings I have fields to capture Number of Nights, ... > If one member is booked, but has a second person ...
    (microsoft.public.access.tablesdbdesign)
  • Re: ADAM Subset
    ... Yep this would be a case for an attribute scoped query and as JoeK indicates would require a base level query, ... Joe Richards Microsoft MVP Windows Server Directory Services ... There is a trick called attribute scope query that ADAM supports that allows you to search within the values of a DN-syntax attribute (like member) to filter the results and return attributes on the objects therein. ...
    (microsoft.public.windows.server.active_directory)
  • Re: 2nd layer of filtering?
    ... With DAO, I can rewrite a query using VBA and a querydef object. ... It basically says in psuedo SQL, Select the Member if the member has a ... >> FROM qMembershipSelect AS Y ...
    (microsoft.public.dotnet.framework.adonet)