PHWinfo - Afficher un message - Re: Listing users from "Domain Users" group using AD query

06/10/2007, 01h34

"Wayne Tilton" <Wayne_Tilton@NoSpam.Yahoo.com> wrote in message
news:Xns99C088F7FDE6CNWDCLMIT@207.46.248.16...
> =?Utf-8?B?SHV3?= <Huw@discussions.microsoft.com> wrote in
> news:A7C0D967-68C6-4EEA-9AD0-D1FACF2C784C@microsoft.com:
>
>> Hi,
>>
>> I want to know how to script listing of users in the "Domain Users"
>> group from AD.
>>
>> I've tried binding to the object and asking for the "members" entry
>> returning a IADsMembers collection.
>>
>> This function returns, but there's nothing in the collection. I guess
>> it's because it's a special "all" group...but there must be a way to
>> list them...
>>
>> I tried the WinNT provider, but I need to get the objectGUID of each
>> user and the guid returned from the WinNT provider is different to the
>> objectGUID returned using the AD provider.
>>
>> Any ideas how to list all Domain Users using LDAP against AD so I can
>> get their object guids?
>>
>> Thanks,
>> Huw
>>
>>
>
> The problem is that a users 'Primary Group' is not stored in the group's
> 'member' attribute, but in the 'primaryGroupID' attribute on the user
> object. primaryGroupID stores the RID of the group, so you need to
> determine the RID of Domain Users (513, it is a well known SID) and then
> query for users who have that value:
>
> (&(objectCategory=Person)(objectClass=User)(primar yGroupID=513))
>
> HTH,
>
> Wayne Tilton

A query with the above filter will return all users that have "Domain Users"
designated as their "primary" group. This may give you all direct members of
the group, unless someone is a member but has some other group designated as
"primary". It also does not reveal anyone who is a member by group nesting.

The problem is made difficult because, as noted, "primary" group membership
is not revealed by either the memberOf attribute of users or the member
attribute of groups. I have an example VBScript program that documents the
membership of a designated AD group. It reveals membership due to nested,
and also shows members that have the group, or any nested group, designated
as their "primary". The program is linked here:

http://www.rlmueller.net/List%20Memb...0a%20Group.htm

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

06/10/2007, 01h34	#2
Richard Mueller [MVP] Messages: n/a Hébergeur:	Re: Listing users from "Domain Users" group using AD query "Wayne Tilton" <Wayne_Tilton@NoSpam.Yahoo.com> wrote in message news:Xns99C088F7FDE6CNWDCLMIT@207.46.248.16... > =?Utf-8?B?SHV3?= <Huw@discussions.microsoft.com> wrote in > news:A7C0D967-68C6-4EEA-9AD0-D1FACF2C784C@microsoft.com: > >> Hi, >> >> I want to know how to script listing of users in the "Domain Users" >> group from AD. >> >> I've tried binding to the object and asking for the "members" entry >> returning a IADsMembers collection. >> >> This function returns, but there's nothing in the collection. I guess >> it's because it's a special "all" group...but there must be a way to >> list them... >> >> I tried the WinNT provider, but I need to get the objectGUID of each >> user and the guid returned from the WinNT provider is different to the >> objectGUID returned using the AD provider. >> >> Any ideas how to list all Domain Users using LDAP against AD so I can >> get their object guids? >> >> Thanks, >> Huw >> >> > > The problem is that a users 'Primary Group' is not stored in the group's > 'member' attribute, but in the 'primaryGroupID' attribute on the user > object. primaryGroupID stores the RID of the group, so you need to > determine the RID of Domain Users (513, it is a well known SID) and then > query for users who have that value: > > (&(objectCategory=Person)(objectClass=User)(primar yGroupID=513)) > > HTH, > > Wayne Tilton A query with the above filter will return all users that have "Domain Users" designated as their "primary" group. This may give you all direct members of the group, unless someone is a member but has some other group designated as "primary". It also does not reveal anyone who is a member by group nesting. The problem is made difficult because, as noted, "primary" group membership is not revealed by either the memberOf attribute of users or the member attribute of groups. I have an example VBScript program that documents the membership of a designated AD group. It reveals membership due to nested, and also shows members that have the group, or any nested group, designated as their "primary". The program is linked here: http://www.rlmueller.net/List%20Memb...0a%20Group.htm -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net --