Suppose you want to view all Global Groups in your domain? How would you do this? LDAP Queries! LDAP queries for group scope are a little weird... however here is the commands you need:
All Security Groups with a type of Global
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650))
All Security Groups with a type of Domain Local
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483652))
All Security Groups with a type of Universal
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656))
All Distribution Groups with a type of Global:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
All Distribution Groups with type of Domain Local:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=4)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
All Distribution Groups with type of Universal:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=8)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
How do you use them? AD Users and computers under queries.
Click Define Query:
Choose Custom Search from the drop down box:
Click the advanced tab then enter your query:
You can also run these queries through dsquery.
All Security Groups with a type of Global:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650))" -limit 0
All Security Groups with a type of Domain Local:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483652))" -limit 0
All Security Groups with a type of Universal:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656))" -limit 0
All Distribution Groups with type of Global:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))" -limit 0
All Distribution Groups with type of Domain Local:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=4)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))" -limit 0
All Distribution Groups with type of Universal:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=8)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))" -limit 0
Here are the values used to calculate these queries:
Global = +2
Domain Local = +4
Universal = +8
Security Group = +2147483648
Distribution Group = 0
Hi Clint,
ReplyDeleteThanks for sharing your insightful thoughts and suggestions - very helpful, and appreciated indeed.
On a related note, we needed a quick and efficient way to enumerate nested security groups for security audits (i.e. find out which groups were nested in other groups.) So we asked our on-site MS consultant and he recommended using the Gold Finger from Paramount Defenses Inc.
Gold Finger pleasantly surprised us because not only was it endorsed by Microsoft but also 100% FREE and loaded with almost 250 useful Active Directory security, Exchange and ACL management reports. BTW, you can download it for free from http://goldfinger.paramountdefenses.com
Thought I'd share this with you incase it could help you too, especially if you're into AD security reporting - there's no need to write LDAP filters anymore :-)
Thanks again, and looking forward to your next post.
Best wishes,
Jonathan
Jonathan thanks muchly for that post... That is exactly what I was aiming to do, find out any groups nested inside other groups. In the end I did write a script to do this, but I binned it as I found out the ADMT tool is capable of producing such data as well. I will definately have a look at Gold Finger however, thankyou very much for the information.
ReplyDelete