=?Utf-8?B?SHV3?= <Huw@discussions.microsoft.com> wrote in
news:A7C0D967-68C6-4EEA-9AD0-D1FACF2C784C@microsoft.com:

> Hi,
>
> I want to know how to script listing of users in the "Domain Users"
> group from AD.
>
> I've tried binding to the object and asking for the "members" entry
> returning a IADsMembers collection.
>
> This function returns, but there's nothing in the collection. I guess
> it's because it's a special "all" group...but there must be a way to
> list them...
>
> I tried the WinNT provider, but I need to get the objectGUID of each
> user and the guid returned from the WinNT provider is different to the
> objectGUID returned using the AD provider.
>
> Any ideas how to list all Domain Users using LDAP against AD so I can
> get their object guids?
>
> Thanks,
> Huw
>
>

The problem is that a users 'Primary Group' is not stored in the group's
'member' attribute, but in the 'primaryGroupID' attribute on the user
object. primaryGroupID stores the RID of the group, so you need to
determine the RID of Domain Users (513, it is a well known SID) and then
query for users who have that value:

(&(objectCategory=Person)(objectClass=User)(primar yGroupID=513))

HTH,

Wayne Tilton

"Wayne Tilton" <Wayne_Tilton@NoSpam.Yahoo.com> wrote in message
news:Xns99C088F7FDE6CNWDCLMIT@207.46.248.16...
> =?Utf-8?B?SHV3?= <Huw@discussions.microsoft.com> wrote in
> news:A7C0D967-68C6-4EEA-9AD0-D1FACF2C784C@microsoft.com:
>
>> Hi,
>>
>> I want to know how to script listing of users in the "Domain Users"
>> group from AD.
>>
>> I've tried binding to the object and asking for the "members" entry
>> returning a IADsMembers collection.
>>
>> This function returns, but there's nothing in the collection. I guess
>> it's because it's a special "all" group...but there must be a way to
>> list them...
>>
>> I tried the WinNT provider, but I need to get the objectGUID of each
>> user and the guid returned from the WinNT provider is different to the
>> objectGUID returned using the AD provider.
>>
>> Any ideas how to list all Domain Users using LDAP against AD so I can
>> get their object guids?
>>
>> Thanks,
>> Huw
>>
>>
>
> The problem is that a users 'Primary Group' is not stored in the group's
> 'member' attribute, but in the 'primaryGroupID' attribute on the user
> object. primaryGroupID stores the RID of the group, so you need to
> determine the RID of Domain Users (513, it is a well known SID) and then
> query for users who have that value:
>
> (&(objectCategory=Person)(objectClass=User)(primar yGroupID=513))
>
> HTH,
>
> Wayne Tilton

A query with the above filter will return all users that have "Domain Users"
designated as their "primary" group. This may give you all direct members of
the group, unless someone is a member but has some other group designated as
"primary". It also does not reveal anyone who is a member by group nesting.

The problem is made difficult because, as noted, "primary" group membership
is not revealed by either the memberOf attribute of users or the member
attribute of groups. I have an example VBScript program that documents the
membership of a designated AD group. It reveals membership due to nested,
and also shows members that have the group, or any nested group, designated
as their "primary". The program is linked here:

http://www.rlmueller.net/List%20Memb...0a%20Group.htm

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:uRSwhC7BIHA.1164@TK2MSFTNGP02.phx.gbl...
>
> "Wayne Tilton" <Wayne_Tilton@NoSpam.Yahoo.com> wrote in message
> news:Xns99C088F7FDE6CNWDCLMIT@207.46.248.16...
>> =?Utf-8?B?SHV3?= <Huw@discussions.microsoft.com> wrote in
>> news:A7C0D967-68C6-4EEA-9AD0-D1FACF2C784C@microsoft.com:
>>
>>> Hi,
>>>
>>> I want to know how to script listing of users in the "Domain Users"
>>> group from AD.
>>>
>>> I've tried binding to the object and asking for the "members" entry
>>> returning a IADsMembers collection.
>>>
>>> This function returns, but there's nothing in the collection. I guess
>>> it's because it's a special "all" group...but there must be a way to
>>> list them...
>>>
>>> I tried the WinNT provider, but I need to get the objectGUID of each
>>> user and the guid returned from the WinNT provider is different to the
>>> objectGUID returned using the AD provider.
>>>
>>> Any ideas how to list all Domain Users using LDAP against AD so I can
>>> get their object guids?
>>>
>>> Thanks,
>>> Huw
>>>
>>>
>>
>> The problem is that a users 'Primary Group' is not stored in the group's
>> 'member' attribute, but in the 'primaryGroupID' attribute on the user
>> object. primaryGroupID stores the RID of the group, so you need to
>> determine the RID of Domain Users (513, it is a well known SID) and then
>> query for users who have that value:
>>
>> (&(objectCategory=Person)(objectClass=User)(primar yGroupID=513))
>>
>> HTH,
>>
>> Wayne Tilton
>
> A query with the above filter will return all users that have "Domain
> Users" designated as their "primary" group. This may give you all direct
> members of the group, unless someone is a member but has some other group
> designated as "primary". It also does not reveal anyone who is a member by
> group nesting.
>
> The problem is made difficult because, as noted, "primary" group
> membership is not revealed by either the memberOf attribute of users or
> the member attribute of groups. I have an example VBScript program that
> documents the membership of a designated AD group. It reveals membership
> due to nested, and also shows members that have the group, or any nested
> group, designated as their "primary". The program is linked here:
>
> http://www.rlmueller.net/List%20Memb...0a%20Group.htm
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net

Just as an aside to this question that pops up once in a while, it almost
seems as if the main purpose of the "primary group" is to cause confusion
for scripters and administrators. Other than the fact thats about this thing
noted by Richard and Wayne, the only other distinctions I could find out
about regarding the concept of the "primary group", was that it is the only
way to have more than 5000 members in a group because membership belongs to
the member accounts rather than the group's members attribute.

Is there some other use that can be made of the "primary group" beyond just
letting it default to "domain users" and then forgetting about it
altogether? What reason would there be for changing the primary group of a
user to anything else?

/Al

> Just as an aside to this question that pops up once in a while, it almost
> seems as if the main purpose of the "primary group" is to cause confusion
> for scripters and administrators. Other than the fact thats about this
> thing noted by Richard and Wayne, the only other distinctions I could find
> out about regarding the concept of the "primary group", was that it is the
> only way to have more than 5000 members in a group because membership
> belongs to the member accounts rather than the group's members attribute.
>
> Is there some other use that can be made of the "primary group" beyond
> just letting it default to "domain users" and then forgetting about it
> altogether? What reason would there be for changing the primary group of a
> user to anything else?
>
> /Al
>
>

The only reason I have ever seen for changing primary group membership is to
support Macintosh clients or POSIX-compliant applications. I'm not familiar
with either.

I believe the best practice is to never change primary group membership from
the default. Then you can always assume everyone is a member of "Domain
Users". The same goes for computer accounts, whose default primary group is
"Domain Computers".

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

Thanks for all your feedback...

I think I'll try and go with the LDAP query

Huw

"Richard Mueller [MVP]" wrote:

>
> > Just as an aside to this question that pops up once in a while, it almost
> > seems as if the main purpose of the "primary group" is to cause confusion
> > for scripters and administrators. Other than the fact thats about this
> > thing noted by Richard and Wayne, the only other distinctions I could find
> > out about regarding the concept of the "primary group", was that it is the
> > only way to have more than 5000 members in a group because membership
> > belongs to the member accounts rather than the group's members attribute.
> >
> > Is there some other use that can be made of the "primary group" beyond
> > just letting it default to "domain users" and then forgetting about it
> > altogether? What reason would there be for changing the primary group of a
> > user to anything else?
> >
> > /Al
> >
> >
>
> The only reason I have ever seen for changing primary group membership is to
> support Macintosh clients or POSIX-compliant applications. I'm not familiar
> with either.
>
> I believe the best practice is to never change primary group membership from
> the default. Then you can always assume everyone is a member of "Domain
> Users". The same goes for computer accounts, whose default primary group is
> "Domain Computers".
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>