Solved

LDAP - Enum predefined groups

Posted on 2006-07-23
8
320 Views
Last Modified: 2013-12-28
How can I enumerate members of groups such 'Domain Users', 'Domain Computers', 'Domain Controllers' etc.?
I'm using the LDAP provider and the straightforward way doesn't work. I always get for these groups Members.Count = 0.

Thanks.
0
Comment
Question by:Netiv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 125 total points
ID: 17185695

In short... cheat...

Those groups cannot be enumerated through the LDAP ADS Interface. However... they can be enumerated through the older WinNT ADS Interface. For example (in VbScript):

Set objGroup = GetObject("WinNT://your.domain.local/Domain Users, group")

For Each objUser in objGroup.Members
      WScript.Echo objUser.Name
Next


HTH

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 17185702

One thing though - Members.Count isn't available as a property of the members collection - you'd have to create an integer variant (say "i"), loop through and count them that way.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 17185716

By the way, what are you looking to achieve by enumerating them? There are some very easy ways to get from the NT Username to the AD DS Path if you need to know how.

Chris
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Netiv
ID: 17191710
Thank you Chris for your answer.  I'm totally new to the AD programming and your first answer saved me a lot of googling.
I know I can get the members of those groups in other ways (WinNT provider or direct calls like NetLocalGroupEnum), I was just thinking it would be nice to converge into a single method of work. I now understand it is impossible.
As for your last remark, the application need to have a user interface that shows AD groups.

Thank you,
Amir.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 17191767

Well the way to pull that information via LDAP is to read the Primary Group Token of each Object in AD and compare that with the Primary Group ID of each of the Groups. For instance, the PrimaryGroupID of Domain Users is 513. Each user that is a member of that group will have 513 listed as their Primary Group Token.

Something like this reads the Primary Group ID (again VbScript):

Set objUser = GetObject("LDAP://CN=User Name,OU=Some OU,DC=Your,DC=Domain,DC=local")
intPrimaryGroupID = objUser.Get("primaryGroupID")
If intPrimaryGroupID = 513 Then
     ' Member of Domain Users
End If

Getting the PrimaryGroupToken is also easy:

Set objGroup = GetObject("LDAP://CN=Domain Users,CN=Users,DC=Your,DC=Domain,DC=local")
intPrimaryGroupToken = objGroup.Get("primaryGroupToken")

You can, of course, read in all the Primary Group Tokens and Group Names from AD - but in many cases the only one you're interested in is Domain Users and that is always 513 regardless of who set the domain up.

Always seemed like a really silly way to organise things in my opinion...

Chris
0
 

Author Comment

by:Netiv
ID: 17210140
"...silly way...", You mean that you would use the older interface WinNT  to enumerate this group?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 17218636

I would use the WinNT interface to read the membership, then the NameTranslate object if I needed to get from those to the ADS Path. Otherwise you're going to have to loop through every user account just to check the membership - and while that may well include everyone it doesn't have to.

I would rather the members of the group could be directly enumerated as with other AD based groups. The Primary Group setup is only there for POSIX / Mac support and generally seems unnecessary.

Chris
0
 

Author Comment

by:Netiv
ID: 17230913
"The Primary Group setup is only there for POSIX / Mac support"
This is exactly what I needed to hear in order to abandon the 'Domain Users' idea.

Thank you,
Amir.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question