Discussion: Re: Listing users from "Domain Users" group using AD query
Afficher un message
Vieux 06/10/2007, 19h35   #3
Al Dunbar
Aucun Avatar
 
Messages: n/a
Hébergeur:
Par défaut Re: Listing users from "Domain Users" group using AD query

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:uRSwhC7BIHA.1164@TK2MSFTNGP02.phx.gbl...
>
> "Wayne Tilton" <Wayne_Tilton@NoSpam.Yahoo.com> wrote in message
> news:Xns99C088F7FDE6CNWDCLMIT@207.46.248.16...
>> =?Utf-8?B?SHV3?= <Huw@discussions.microsoft.com> wrote in
>> news:A7C0D967-68C6-4EEA-9AD0-D1FACF2C784C@microsoft.com:
>>
>>> Hi,
>>>
>>> I want to know how to script listing of users in the "Domain Users"
>>> group from AD.
>>>
>>> I've tried binding to the object and asking for the "members" entry
>>> returning a IADsMembers collection.
>>>
>>> This function returns, but there's nothing in the collection. I guess
>>> it's because it's a special "all" group...but there must be a way to
>>> list them...
>>>
>>> I tried the WinNT provider, but I need to get the objectGUID of each
>>> user and the guid returned from the WinNT provider is different to the
>>> objectGUID returned using the AD provider.
>>>
>>> Any ideas how to list all Domain Users using LDAP against AD so I can
>>> get their object guids?
>>>
>>> Thanks,
>>> Huw
>>>
>>>
>>
>> The problem is that a users 'Primary Group' is not stored in the group's
>> 'member' attribute, but in the 'primaryGroupID' attribute on the user
>> object. primaryGroupID stores the RID of the group, so you need to
>> determine the RID of Domain Users (513, it is a well known SID) and then
>> query for users who have that value:
>>
>> (&(objectCategory=Person)(objectClass=User)(primar yGroupID=513))
>>
>> HTH,
>>
>> Wayne Tilton
>
> A query with the above filter will return all users that have "Domain
> Users" designated as their "primary" group. This may give you all direct
> members of the group, unless someone is a member but has some other group
> designated as "primary". It also does not reveal anyone who is a member by
> group nesting.
>
> The problem is made difficult because, as noted, "primary" group
> membership is not revealed by either the memberOf attribute of users or
> the member attribute of groups. I have an example VBScript program that
> documents the membership of a designated AD group. It reveals membership
> due to nested, and also shows members that have the group, or any nested
> group, designated as their "primary". The program is linked here:
>
> http://www.rlmueller.net/List%20Memb...0a%20Group.htm
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net

Just as an aside to this question that pops up once in a while, it almost
seems as if the main purpose of the "primary group" is to cause confusion
for scripters and administrators. Other than the fact thats about this thing
noted by Richard and Wayne, the only other distinctions I could find out
about regarding the concept of the "primary group", was that it is the only
way to have more than 5000 members in a group because membership belongs to
the member accounts rather than the group's members attribute.

Is there some other use that can be made of the "primary group" beyond just
letting it default to "domain users" and then forgetting about it
altogether? What reason would there be for changing the primary group of a
user to anything else?

/Al
  Réponse avec citation
 
Page generated in 0,07108 seconds with 9 queries