Solved

LDAP - Enum predefined groups

Posted on 2006-07-23
8
305 Views
Last Modified: 2013-12-28
How can I enumerate members of groups such 'Domain Users', 'Domain Computers', 'Domain Controllers' etc.?
I'm using the LDAP provider and the straightforward way doesn't work. I always get for these groups Members.Count = 0.

Thanks.
0
Comment
Question by:Netiv
  • 5
  • 3
8 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 125 total points
ID: 17185695

In short... cheat...

Those groups cannot be enumerated through the LDAP ADS Interface. However... they can be enumerated through the older WinNT ADS Interface. For example (in VbScript):

Set objGroup = GetObject("WinNT://your.domain.local/Domain Users, group")

For Each objUser in objGroup.Members
      WScript.Echo objUser.Name
Next


HTH

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 17185702

One thing though - Members.Count isn't available as a property of the members collection - you'd have to create an integer variant (say "i"), loop through and count them that way.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 17185716

By the way, what are you looking to achieve by enumerating them? There are some very easy ways to get from the NT Username to the AD DS Path if you need to know how.

Chris
0
 

Author Comment

by:Netiv
ID: 17191710
Thank you Chris for your answer.  I'm totally new to the AD programming and your first answer saved me a lot of googling.
I know I can get the members of those groups in other ways (WinNT provider or direct calls like NetLocalGroupEnum), I was just thinking it would be nice to converge into a single method of work. I now understand it is impossible.
As for your last remark, the application need to have a user interface that shows AD groups.

Thank you,
Amir.
0
Being driven mad by email signature updates?

Having to make a change to your users’ email signatures, yet again? Feel like your head is going to explode? Rely on an Exclaimer email signature management solution to make the process simple!

 
LVL 70

Expert Comment

by:Chris Dent
ID: 17191767

Well the way to pull that information via LDAP is to read the Primary Group Token of each Object in AD and compare that with the Primary Group ID of each of the Groups. For instance, the PrimaryGroupID of Domain Users is 513. Each user that is a member of that group will have 513 listed as their Primary Group Token.

Something like this reads the Primary Group ID (again VbScript):

Set objUser = GetObject("LDAP://CN=User Name,OU=Some OU,DC=Your,DC=Domain,DC=local")
intPrimaryGroupID = objUser.Get("primaryGroupID")
If intPrimaryGroupID = 513 Then
     ' Member of Domain Users
End If

Getting the PrimaryGroupToken is also easy:

Set objGroup = GetObject("LDAP://CN=Domain Users,CN=Users,DC=Your,DC=Domain,DC=local")
intPrimaryGroupToken = objGroup.Get("primaryGroupToken")

You can, of course, read in all the Primary Group Tokens and Group Names from AD - but in many cases the only one you're interested in is Domain Users and that is always 513 regardless of who set the domain up.

Always seemed like a really silly way to organise things in my opinion...

Chris
0
 

Author Comment

by:Netiv
ID: 17210140
"...silly way...", You mean that you would use the older interface WinNT  to enumerate this group?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 17218636

I would use the WinNT interface to read the membership, then the NameTranslate object if I needed to get from those to the ADS Path. Otherwise you're going to have to loop through every user account just to check the membership - and while that may well include everyone it doesn't have to.

I would rather the members of the group could be directly enumerated as with other AD based groups. The Primary Group setup is only there for POSIX / Mac support and generally seems unnecessary.

Chris
0
 

Author Comment

by:Netiv
ID: 17230913
"The Primary Group setup is only there for POSIX / Mac support"
This is exactly what I needed to hear in order to abandon the 'Domain Users' idea.

Thank you,
Amir.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now