Query to display AD security groups where type = Global

[cottonpants]

Newbie LDAP dude here...

Trying to find an easy way to dump security groups out of AD by type (ie Domain Local vs Global vs Universal)

You'd think they'd have that as a selection in their filters but sadly no. So now I'm resorting to LDAP. Can anyone help?

Thanks in advance.

 

[PScottC]

You could set up several queries to get each type of group and list them... The queries would look something like this...

All Security Groups with a type of Global
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650))

All Security Groups with a type of Domain Local
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483652))

All Security Groups with a type of Universal
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656))

The way we get these wierd looking queries is by knowing the bit values for different types of groups and then using the Bitwise AND 1.2.840.113556.1.4.803 to filter the results.

Here's the bit values for different types of groups:
Global = 2
Domain Local = 4
Universal = 8
Security Group = 2147483648
Distribution Group = no value

So... What if you want to list distribution groups of these types? Well... You would have to exclude all security groups from your query. To exclude security groups you would have to add an additional filter...

All Global Distribution Group
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

PSC