Wednesday, October 21, 2009

LDAP Queries for Group Scope

Suppose you want to view all Global Groups in your domain? How would you do this? LDAP Queries! LDAP queries for group scope are a little weird... however here is the commands you need:

All Security Groups with a type of Global
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650))

All Security Groups with a type of Domain Local
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483652))

All Security Groups with a type of Universal
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656))

All Distribution Groups with a type of Global:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

All Distribution Groups with type of Domain Local:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=4)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

All Distribution Groups with type of Universal:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=8)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

How do you use them? AD Users and computers under queries.



Click Define Query:



Choose Custom Search from the drop down box:



Click the advanced tab then enter your query:




You can also run these queries through dsquery.

All Security Groups with a type of Global:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650))" -limit 0

All Security Groups with a type of Domain Local:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483652))" -limit 0

All Security Groups with a type of Universal:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656))" -limit 0

All Distribution Groups with type of Global:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))" -limit 0

All Distribution Groups with type of Domain Local:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=4)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))" -limit 0

All Distribution Groups with type of Universal:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=8)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))" -limit 0


Here are the values used to calculate these queries:

Global = +2
Domain Local = +4
Universal = +8
Security Group = +2147483648
Distribution Group = 0

2 comments:

  1. Hi Clint,

    Thanks for sharing your insightful thoughts and suggestions - very helpful, and appreciated indeed.

    On a related note, we needed a quick and efficient way to enumerate nested security groups for security audits (i.e. find out which groups were nested in other groups.) So we asked our on-site MS consultant and he recommended using the Gold Finger from Paramount Defenses Inc.

    Gold Finger pleasantly surprised us because not only was it endorsed by Microsoft but also 100% FREE and loaded with almost 250 useful Active Directory security, Exchange and ACL management reports. BTW, you can download it for free from http://goldfinger.paramountdefenses.com

    Thought I'd share this with you incase it could help you too, especially if you're into AD security reporting - there's no need to write LDAP filters anymore :-)

    Thanks again, and looking forward to your next post.

    Best wishes,
    Jonathan

    ReplyDelete
  2. Jonathan thanks muchly for that post... That is exactly what I was aiming to do, find out any groups nested inside other groups. In the end I did write a script to do this, but I binned it as I found out the ADMT tool is capable of producing such data as well. I will definately have a look at Gold Finger however, thankyou very much for the information.

    ReplyDelete