Re: Querying AD for Group information (type/scope)
- From: "Austin Osuide" <austin@xxxxxxxxxxx>
- Date: Wed, 17 Oct 2007 09:57:06 +0100
Or,
If you're into the new and improve way of doing things and want to use
Powershell (www.microsoft.com/powershell ) and you install the FREE Quest
ADcmdlets ( http://www.quest.com/activeroles-server/arms.aspx ), you can do
this:
1. To Query for Distribution groups:
c:\> get-qadGroup -groupType 'Distribution' | Format-Table Name,
DN -autosize
2. To query for all security groups:
c:\> get-qadGroup -groupType 'Security' | Format-Table Name,
DN -autosize
3. To query for all global security groups:
c:\> get-qadGroup -groupType 'Security' -groupScope 'global' |
Format-Table Name, DN -autosize
4. To query for all users that have some group other than "Domain Users"
designated as their "primary":
c:\> get-qadUser -LdapFilter
'(&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))' |
Format-Table Name, DN -autosize
Have a go.. I think Powershell is the future and the capabilities of the
version 1 product are awesome.
For 'mere' Admins in a "Windows Environment" the impossible becomes possible
and the difficult easy.. (sorry Perl ;-) )
Regards,
Austin
"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23eVZ$YFEIHA.4880@xxxxxxxxxxxxxxxxxxxxxxx
For example, to query for all distribution groups ("|" is the NOT
operator):
(&(objectCategory=group)(!groupType:1.2.840.113556.1.4.803:=2147483648))
To query for all security groups:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))
To query for all global security groups:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2))
To query for all users that have "Domain Users" designated as their
"primary" group:
(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))
To query for all users that have some group other than "Domain Users"
designated as their "primary":
(&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))
A VBScript function I use to determine the group type:
==================
Set objGroup = GetObject("LDAP://cn=TestGroup,ou=West,dc=MyDomain,dc=com";)
Wscript.Echo "Group " & objGroup.Name & " is type " &
GetType(objGroup.groupType)
Function GetType(ByVal intType)
' Function to determine group type from the GroupType attribute.
If ((intType And &h01) <> 0) Then
GetType = "Built-in"
ElseIf ((intType And &h02) <> 0) Then
GetType = "Global"
ElseIf ((intType And &h04) <> 0) Then
GetType = "Local"
ElseIf ((intType And &h08) <> 0) Then
GetType = "Universal"
End If
If ((intType And &h80000000) <> 0) Then
GetType = GetType & "/Security"
Else
GetType = GetType & "/Distribution"
End If
End Function
================
Finally, the memberOf attributes of users and the member attribute of
groups does not include "primary" group membership. Instead, the
primaryGroupID of the user object designates the primary group. The value
equals the corresponding value of the primaryGroupToken of the "primary"
group. The group "Domain Users" has primaryGroupToken equal to 513, so all
users with primaryGroupID equal to 513 belong to the "Domain Users" group.
For computer objects the "primary" group (by default) is "Domain
Computers", which has primaryGroupToken equal to 515. The default
"primary" group for DC's is "Domain Controllers", which has
primaryGroupToken equal to 516.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:uBd9ImEEIHA.1164@xxxxxxxxxxxxxxxxxxxxxxx
Hi ATC,
The "type" of a group is held in the groupType attribute which you can
ascertain with a query.
Values for the different group types are:
2 Global distribution group
4 Domain local distribution group
8 Universal distribution group
-2147483646 Global security group
-2147483644 Domain local security group
-2147483640 Universal security group
The reason the member attribute of the "Domain users" and some other
System Groups is empty is because for these groups, to get round the 5k
membership limit for groups, AD does not write a forward link for the
"primaryGroupID" of the user and membership is implied.
See: http://support.microsoft.com/kb/275523
Regards,
Austin
"ATC" <ATC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:02CBD7C4-9289-4844-848A-63DD7E856272@xxxxxxxxxxxxxxxx
Is there a way to use an LDAP query to return the type (Security vs
Distribution) and scope (Local vs Global vs Universal) of a group?
Also, are some group memberships "calculated" (not sure of correct term)
instead of stored in the "member" attribute? Because I've noticed that
some
groups like "Domain Users" and "Domain Controllers" have nothing listed
in
their "member" attribute even though they have compuers or people listed
as
members when looking at their memberships via the admin console.
Thanks!
.
- References:
- Querying AD for Group information (type/scope)
- From: ATC
- Re: Querying AD for Group information (type/scope)
- From: Austin Osuide
- Re: Querying AD for Group information (type/scope)
- From: Richard Mueller [MVP]
- Querying AD for Group information (type/scope)
- Prev by Date: Re: Active Directory em Win2003 Server SP2 para um novo Servidor
- Next by Date: Re: Issues when migrating using ADMTv3
- Previous by thread: Re: Querying AD for Group information (type/scope)
- Next by thread: Re: ODD question Folder Redirection
- Index(es):
Relevant Pages
|
Loading
