Location: Articles

Articles

Articles

Current Articles | Categories | Search | Syndication

LDAP tips #2: Searching for Groups

By Tony Murray on Wednesday, November 28, 2007 5:10 PM

This article is the second in a series providing tips for common LDAP searches.

How to search for groups of different type and scope


Searching AD for groups using LDAP can be tricky as it often involves using the groupType attribute, which requires a bitwise filter.  Another attribute that can be useful is the sAMAccountType attribute, but you need to be careful as Universal and Global groups share the same values.  You should also ensure that you use the Global Catalog when searching for Universal Groups.  This blog post provides advice on searching for groups and provides specific examples using AdFind (http://www.joeware.net/win/free/tools/adfind.htm).

The table below shows the information of interest when searching for different types of group.  Note that the sAMAccountType attribute may not be unique to the Group Type (see items in red and green bold).

Group Scope
Group Type
groupType attribute
sAMAccountType attribute
Universal
Distribution
8
268435457
Universal
Security
-2147483640
268435456
Global
Distribution
2
268435457
Global
Security
-2147483646
268435456
Domain Local
Distribution
4
536870913
Domain Local
Security
-2147483644
536870912

The following sections provide advice on how to search for groups together with examples.

 

Find all groups

LDAP Filter: 

(objectcategory=group)

e.g.

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -f "(objectcategory=group)"

 

Find all Universal Distribution groups

LDAP Filter: 

(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:1.2.840.113556.1.4.804:=8))

e.g.

adfind –gc -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:OR:=8))" 1.1

  

Find all Universal Security groups

LDAP Filter:

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=-2147483640))

e.g.

adfind –gc -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:AND:=-2147483640))" 1.1

 

Find all Universal groups: Distribution and Security

LDAP Filter:

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=8))

e.g.

adfind -gc -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:OR:=8))" 1.1

 

Find all Global Distribution groups

LDAP Filter: 

(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:1.2.840.113556.1.4.804:=2))

e.g.

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:OR:=2))" 1.1

 

Find all Global Security groups

LDAP Filter:

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=-2147483646))

e.g.

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:AND:=-2147483646))" 1.1

  

Find all Global groups: Distribution and Security

LDAP Filter:

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=2))

e.g.

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:OR:=2))" 1.1

  

Find all Domain Local Distribution groups

LDAP Filter: 

(&(objectcategory=group)(samaccounttype=536870913))

e.g.

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -f "(&(objectcategory=group)(sAMAccountType=536870913))" 1.1

 

Find all Domain Local Security groups

LDAP Filter:

(&(objectcategory=group)(samaccounttype=536870912))

e.g.

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -f "(&(objectcategory=group)(sAMAccountType=536870912))" 1.1

 

Find all Domain Local groups: Distribution and Security

LDAP Filter:

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=4))

e.g.

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:OR:=4))" 1.1

 

 

Comments

By John McIntyre @ Saturday, September 12, 2009 12:49 AM

Hi,

Thanks for sharing your insightful thoughts and suggestions - very cool and helpful indeed.

In the spirit of sharing helpful information, thought I'd mention that one of my Microsoft colleagues informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports, such as which accounts are locked out, which accounts are set to expire in the next few days, which security groups are nested, where all a user may have permissions etc.

You can also easily obtain a list of all builtin, domain local, global and universal security groups, get a list of all groups created in the last few days, etc. etc.

The tool is called <b>Gold Finger</b>, and it is developed by a company called Paramount Defenses. You can download it from <a href="http://www.paramountdefenses.com/goldfinger.php">http://www.paramountdefenses.com/goldfinger.php</a>

The tool is 100% AUTOMATED, GUI based, FREE solution that is not only SUPPORTED but also ENDORSED by Microsoft.

If you're into Active Directory security, then this tool is a must-have. Thought I'd share this helpful tip with you!

Sincerely,
JohnM

By Bruce @ Friday, June 04, 2010 6:54 AM

How to search a group by group name?

You must be logged in to post a comment. You can login here
Copyright 2009 ActiveDir.org
Terms Of Use