|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Listing users from "Domain Users" group using AD query
I want to know how to script listing of users in the "Domain Users" group from AD. I've tried binding to the object and asking for the "members" entry returning a IADsMembers collection. This function returns, but there's nothing in the collection. I guess it's because it's a special "all" group...but there must be a way to list them... I tried the WinNT provider, but I need to get the objectGUID of each user and the guid returned from the WinNT provider is different to the objectGUID returned using the AD provider. Any ideas how to list all Domain Users using LDAP against AD so I can get their object guids? Thanks, Huw =?Utf-8?B?SHV3?= <H**@discussions.microsoft.com> wrote in
Show quote news:A7C0D967-68C6-4EEA-9AD0-D1FACF2C784C@microsoft.com: The problem is that a users 'Primary Group' is not stored in the group's > Hi, > > I want to know how to script listing of users in the "Domain Users" > group from AD. > > I've tried binding to the object and asking for the "members" entry > returning a IADsMembers collection. > > This function returns, but there's nothing in the collection. I guess > it's because it's a special "all" group...but there must be a way to > list them... > > I tried the WinNT provider, but I need to get the objectGUID of each > user and the guid returned from the WinNT provider is different to the > objectGUID returned using the AD provider. > > Any ideas how to list all Domain Users using LDAP against AD so I can > get their object guids? > > Thanks, > Huw > > 'member' attribute, but in the 'primaryGroupID' attribute on the user object. primaryGroupID stores the RID of the group, so you need to determine the RID of Domain Users (513, it is a well known SID) and then query for users who have that value: (&(objectCategory=Person)(objectClass=User)(primaryGroupID=513)) HTH, Wayne Tilton
Show quote
"Wayne Tilton" <Wayne_Tilton@NoSpam.Yahoo.com> wrote in message A query with the above filter will return all users that have "Domain Users" news:Xns99C088F7FDE6CNWDCLMIT@207.46.248.16... > =?Utf-8?B?SHV3?= <H**@discussions.microsoft.com> wrote in > news:A7C0D967-68C6-4EEA-9AD0-D1FACF2C784C@microsoft.com: > >> Hi, >> >> I want to know how to script listing of users in the "Domain Users" >> group from AD. >> >> I've tried binding to the object and asking for the "members" entry >> returning a IADsMembers collection. >> >> This function returns, but there's nothing in the collection. I guess >> it's because it's a special "all" group...but there must be a way to >> list them... >> >> I tried the WinNT provider, but I need to get the objectGUID of each >> user and the guid returned from the WinNT provider is different to the >> objectGUID returned using the AD provider. >> >> Any ideas how to list all Domain Users using LDAP against AD so I can >> get their object guids? >> >> Thanks, >> Huw >> >> > > The problem is that a users 'Primary Group' is not stored in the group's > 'member' attribute, but in the 'primaryGroupID' attribute on the user > object. primaryGroupID stores the RID of the group, so you need to > determine the RID of Domain Users (513, it is a well known SID) and then > query for users who have that value: > > (&(objectCategory=Person)(objectClass=User)(primaryGroupID=513)) > > HTH, > > Wayne Tilton designated as their "primary" group. This may give you all direct members of the group, unless someone is a member but has some other group designated as "primary". It also does not reveal anyone who is a member by group nesting. The problem is made difficult because, as noted, "primary" group membership is not revealed by either the memberOf attribute of users or the member attribute of groups. I have an example VBScript program that documents the membership of a designated AD group. It reveals membership due to nested, and also shows members that have the group, or any nested group, designated as their "primary". The program is linked here: http://www.rlmueller.net/List%20Members%20of%20a%20Group.htm
Show quote
"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in Just as an aside to this question that pops up once in a while, it almost message news:uRSwhC7BIHA.1164@TK2MSFTNGP02.phx.gbl... > > "Wayne Tilton" <Wayne_Tilton@NoSpam.Yahoo.com> wrote in message > news:Xns99C088F7FDE6CNWDCLMIT@207.46.248.16... >> =?Utf-8?B?SHV3?= <H**@discussions.microsoft.com> wrote in >> news:A7C0D967-68C6-4EEA-9AD0-D1FACF2C784C@microsoft.com: >> >>> Hi, >>> >>> I want to know how to script listing of users in the "Domain Users" >>> group from AD. >>> >>> I've tried binding to the object and asking for the "members" entry >>> returning a IADsMembers collection. >>> >>> This function returns, but there's nothing in the collection. I guess >>> it's because it's a special "all" group...but there must be a way to >>> list them... >>> >>> I tried the WinNT provider, but I need to get the objectGUID of each >>> user and the guid returned from the WinNT provider is different to the >>> objectGUID returned using the AD provider. >>> >>> Any ideas how to list all Domain Users using LDAP against AD so I can >>> get their object guids? >>> >>> Thanks, >>> Huw >>> >>> >> >> The problem is that a users 'Primary Group' is not stored in the group's >> 'member' attribute, but in the 'primaryGroupID' attribute on the user >> object. primaryGroupID stores the RID of the group, so you need to >> determine the RID of Domain Users (513, it is a well known SID) and then >> query for users who have that value: >> >> (&(objectCategory=Person)(objectClass=User)(primaryGroupID=513)) >> >> HTH, >> >> Wayne Tilton > > A query with the above filter will return all users that have "Domain > Users" designated as their "primary" group. This may give you all direct > members of the group, unless someone is a member but has some other group > designated as "primary". It also does not reveal anyone who is a member by > group nesting. > > The problem is made difficult because, as noted, "primary" group > membership is not revealed by either the memberOf attribute of users or > the member attribute of groups. I have an example VBScript program that > documents the membership of a designated AD group. It reveals membership > due to nested, and also shows members that have the group, or any nested > group, designated as their "primary". The program is linked here: > > http://www.rlmueller.net/List%20Members%20of%20a%20Group.htm > > -- > Richard Mueller > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net seems as if the main purpose of the "primary group" is to cause confusion for scripters and administrators. Other than the fact thats about this thing noted by Richard and Wayne, the only other distinctions I could find out about regarding the concept of the "primary group", was that it is the only way to have more than 5000 members in a group because membership belongs to the member accounts rather than the group's members attribute. Is there some other use that can be made of the "primary group" beyond just letting it default to "domain users" and then forgetting about it altogether? What reason would there be for changing the primary group of a user to anything else? /Al
Show quote
> Just as an aside to this question that pops up once in a while, it almost The only reason I have ever seen for changing primary group membership is to > seems as if the main purpose of the "primary group" is to cause confusion > for scripters and administrators. Other than the fact thats about this > thing noted by Richard and Wayne, the only other distinctions I could find > out about regarding the concept of the "primary group", was that it is the > only way to have more than 5000 members in a group because membership > belongs to the member accounts rather than the group's members attribute. > > Is there some other use that can be made of the "primary group" beyond > just letting it default to "domain users" and then forgetting about it > altogether? What reason would there be for changing the primary group of a > user to anything else? > > /Al > > support Macintosh clients or POSIX-compliant applications. I'm not familiar with either. I believe the best practice is to never change primary group membership from the default. Then you can always assume everyone is a member of "Domain Users". The same goes for computer accounts, whose default primary group is "Domain Computers". Thanks for all your feedback...
I think I'll try and go with the LDAP query Huw Show quote "Richard Mueller [MVP]" wrote: > > > Just as an aside to this question that pops up once in a while, it almost > > seems as if the main purpose of the "primary group" is to cause confusion > > for scripters and administrators. Other than the fact thats about this > > thing noted by Richard and Wayne, the only other distinctions I could find > > out about regarding the concept of the "primary group", was that it is the > > only way to have more than 5000 members in a group because membership > > belongs to the member accounts rather than the group's members attribute. > > > > Is there some other use that can be made of the "primary group" beyond > > just letting it default to "domain users" and then forgetting about it > > altogether? What reason would there be for changing the primary group of a > > user to anything else? > > > > /Al > > > > > > The only reason I have ever seen for changing primary group membership is to > support Macintosh clients or POSIX-compliant applications. I'm not familiar > with either. > > I believe the best practice is to never change primary group membership from > the default. Then you can always assume everyone is a member of "Domain > Users". The same goes for computer accounts, whose default primary group is > "Domain Computers". > > -- > Richard Mueller > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net > -- > > >  |
|||||||||||||||||||||||
Other interesting topics