Solved

LDAP - Enum predefined groups

Posted on 2006-07-23
8
302 Views
Last Modified: 2013-12-28
How can I enumerate members of groups such 'Domain Users', 'Domain Computers', 'Domain Controllers' etc.?
I'm using the LDAP provider and the straightforward way doesn't work. I always get for these groups Members.Count = 0.

Thanks.
0
Comment
Question by:Netiv
  • 5
  • 3
8 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 125 total points
Comment Utility

In short... cheat...

Those groups cannot be enumerated through the LDAP ADS Interface. However... they can be enumerated through the older WinNT ADS Interface. For example (in VbScript):

Set objGroup = GetObject("WinNT://your.domain.local/Domain Users, group")

For Each objUser in objGroup.Members
      WScript.Echo objUser.Name
Next


HTH

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

One thing though - Members.Count isn't available as a property of the members collection - you'd have to create an integer variant (say "i"), loop through and count them that way.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

By the way, what are you looking to achieve by enumerating them? There are some very easy ways to get from the NT Username to the AD DS Path if you need to know how.

Chris
0
 

Author Comment

by:Netiv
Comment Utility
Thank you Chris for your answer.  I'm totally new to the AD programming and your first answer saved me a lot of googling.
I know I can get the members of those groups in other ways (WinNT provider or direct calls like NetLocalGroupEnum), I was just thinking it would be nice to converge into a single method of work. I now understand it is impossible.
As for your last remark, the application need to have a user interface that shows AD groups.

Thank you,
Amir.
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Well the way to pull that information via LDAP is to read the Primary Group Token of each Object in AD and compare that with the Primary Group ID of each of the Groups. For instance, the PrimaryGroupID of Domain Users is 513. Each user that is a member of that group will have 513 listed as their Primary Group Token.

Something like this reads the Primary Group ID (again VbScript):

Set objUser = GetObject("LDAP://CN=User Name,OU=Some OU,DC=Your,DC=Domain,DC=local")
intPrimaryGroupID = objUser.Get("primaryGroupID")
If intPrimaryGroupID = 513 Then
     ' Member of Domain Users
End If

Getting the PrimaryGroupToken is also easy:

Set objGroup = GetObject("LDAP://CN=Domain Users,CN=Users,DC=Your,DC=Domain,DC=local")
intPrimaryGroupToken = objGroup.Get("primaryGroupToken")

You can, of course, read in all the Primary Group Tokens and Group Names from AD - but in many cases the only one you're interested in is Domain Users and that is always 513 regardless of who set the domain up.

Always seemed like a really silly way to organise things in my opinion...

Chris
0
 

Author Comment

by:Netiv
Comment Utility
"...silly way...", You mean that you would use the older interface WinNT  to enumerate this group?
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

I would use the WinNT interface to read the membership, then the NameTranslate object if I needed to get from those to the ADS Path. Otherwise you're going to have to loop through every user account just to check the membership - and while that may well include everyone it doesn't have to.

I would rather the members of the group could be directly enumerated as with other AD based groups. The Primary Group setup is only there for POSIX / Mac support and generally seems unnecessary.

Chris
0
 

Author Comment

by:Netiv
Comment Utility
"The Primary Group setup is only there for POSIX / Mac support"
This is exactly what I needed to hear in order to abandon the 'Domain Users' idea.

Thank you,
Amir.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now