Searching AD for groups using LDAP can be tricky as it often involves using the groupType attribute, which requires a bitwise filter.  Another attribute that can be useful is the sAMAccountType attribute, but you need to be careful as Universal and Global groups share the same values.  You should also ensure that you use the Global Catalog when searching for Universal Groups.  This blog post provides advice on searching for groups and provides specific examples using AdFind (http://www.joeware.net/win/free/tools/adfind.htm).

 

The table below shows the information of interest when searching for different types of group.  Note that the sAMAccountType attribute may not be unique to the Group Type (see items in red and green bold).

 

Group Scope	Group Type	groupType value	sAMAccountType attribute
Universal	Distribution	8	268435457
Universal	Security	-2147483640	268435456
Global	Distribution	2	268435457
Global	Security	-2147483646	268435456
Domain Local	Distribution	4	536870913
Domain Local	Security	-2147483644	536870912

 

 

The following sections provide advice on how to search for groups together with examples.

 

Find all groups

 

LDAP Filter: 

 

(objectcategory=group)

 

e.g.

 

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -f "(objectcategory=group)"

 

 

Find all Universal Distribution groups

 

LDAP Filter:  

 

(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:1.2.840.113556.1.4.804:=8))

 

e.g.

 

adfind –gc -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:OR:=8))" 1.1

 

 

Find all Universal Security groups

 

LDAP Filter:

 

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=-2147483640))

 

e.g.

 

adfind –gc -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:AND:=-2147483640))" 1.1

 

 

Find all Universal groups: Distribution and Security

 

LDAP Filter:

 

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=8))

 

e.g.

 

adfind -gc -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:OR:=8))" 1.1

 

 

Find all Global Distribution groups

 

LDAP Filter: 

 

(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:1.2.840.113556.1.4.804:=2))

 

e.g.

 

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:OR:=2))" 1.1

 

 

Find all Global Security groups

 

LDAP Filter:

 

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=-2147483646))

 

e.g.

 

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:AND:=-2147483646))" 1.1

 

 

Find all Global groups: Distribution and Security

 

LDAP Filter:

 

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=2))

 

e.g.

 

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:OR:=2))" 1.1

 

Find all Domain Local Distribution groups

 

LDAP Filter: 

 

(&(objectcategory=group)(samaccounttype=536870913))

 

e.g.

 

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -f "(&(objectcategory=group)(sAMAccountType=536870913))" 1.1

 

 

Find all Domain Local Security groups

 

LDAP Filter:

 

(&(objectcategory=group)(samaccounttype=536870912))

 

e.g.

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -f "(&(objectcategory=group)(sAMAccountType=536870912))" 1.1

 

 

Find all Domain Local groups: Distribution and Security

 

LDAP Filter:

 

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=4))

 

e.g.

 

adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:OR:=4))" 1.1

 

 Tony

www.activedir.org

 

Sign up the for AD Discussions mailing list (http://www.activedir.org/List.aspx)