Enumerating Domain Users group

Enumerating Domain Users group

Post by Anil Pate » Tue, 10 Dec 2002 21:43:23



We have an application that basically enumerates groups
within our Active Directory domain.

For some reason, it will not enumerate any members within
Domain Users. It has a member count of 0; yet if look at
this group from "Active Directory Users and Computers",
it lists several users (some of whom I've explicitly
added).

Am I doing doing something wrong?

Any help / insight would be greatly appreciated.

Thanks,
Anil Patel.

 
 
 

Enumerating Domain Users group

Post by Richard Muelle » Wed, 11 Dec 2002 02:47:05



>We have an application that basically enumerates groups
>within our Active Directory domain.

>For some reason, it will not enumerate any members within
>Domain Users. It has a member count of 0; yet if look at
>this group from "Active Directory Users and Computers",
>it lists several users (some of whom I've explicitly
>added).

>Am I doing doing something wrong?

>Any help / insight would be greatly appreciated.

>Thanks,
>Anil Patel.
>.

Hi,

A common frustration results because the LDAP provider
does NOT reveal membership in the "Primary Group". All of
your users have "Domain Users" as the primary group. This
is the default primary group, but can be changed. A few
work-arounds:

1. Assume that every user is a member of "Domain Users".
2. Use the WinNT provider, which does reveal membership in
the primary group. However, WinNT cannot reveal membership
in "nested" groups (of universal and global security
groups).
3. Use the "TokenGroups" attribute of the user. This takes
more code to use, but this multi-valued attribute is a
collection of group SID's. It includes all groups the user
is a member of, including the primary group and all nested
groups. Reply to this post if you want code.
4. Use the methods in Q321360 and Q297951 to determine
primary group membership.

For your purpose (enumerating members of a group), if #'s
1 and 2 above are not options, you would have to enumerate
the members revealed by LDAP, then find all users in the
domain whose "PrimaryGroupID" matched
the "PrimaryGroupToken" of the group. Again, reply if you
want code.

Richard

 
 
 

Enumerating Domain Users group

Post by Anil Pate » Wed, 11 Dec 2002 19:30:25


Hi Richard,

Thank you for the prompt reply & explanation.

Given the structure of our code, I think my best option
would be to "find all users in the domain
whose "PrimaryGroupID" matched the "PrimaryGroupToken" of
the group". I would be very grateful if you could supply
me with some sample code for this scenario.


or reply to this email with the code as attachment (this
might be preferable as it maybe of interest to others in
the Newsgroup).

Thanks again.
Anil.

>-----Original Message-----

>>We have an application that basically enumerates groups
>>within our Active Directory domain.

>>For some reason, it will not enumerate any members
within
>>Domain Users. It has a member count of 0; yet if look
at
>>this group from "Active Directory Users and Computers",
>>it lists several users (some of whom I've explicitly
>>added).

>>Am I doing doing something wrong?

>>Any help / insight would be greatly appreciated.

>>Thanks,
>>Anil Patel.
>>.
>Hi,

>A common frustration results because the LDAP provider
>does NOT reveal membership in the "Primary Group". All
of
>your users have "Domain Users" as the primary group.
This
>is the default primary group, but can be changed. A few
>work-arounds:

>1. Assume that every user is a member of "Domain Users".
>2. Use the WinNT provider, which does reveal membership
in
>the primary group. However, WinNT cannot reveal
membership
>in "nested" groups (of universal and global security
>groups).
>3. Use the "TokenGroups" attribute of the user. This
takes
>more code to use, but this multi-valued attribute is a
>collection of group SID's. It includes all groups the
user
>is a member of, including the primary group and all
nested
>groups. Reply to this post if you want code.
>4. Use the methods in Q321360 and Q297951 to determine
>primary group membership.

>For your purpose (enumerating members of a group), if
#'s
>1 and 2 above are not options, you would have to
enumerate
>the members revealed by LDAP, then find all users in the
>domain whose "PrimaryGroupID" matched
>the "PrimaryGroupToken" of the group. Again, reply if
you
>want code.

>Richard
>.

 
 
 

Enumerating Domain Users group

Post by Richard Muelle » Thu, 12 Dec 2002 07:53:56


A few notes on the attached code.

1. The PrimaryGroupToken attribute of the group object is
not stored in AD, but is calculated. The only way I know
to force the calculation is to use ADO to find the group
and return the PrimaryGroupToken attribute.
2. Although the user attribute PrimaryGroupID is stored in
AD, ADO is still the best way to find all users with a
given PrimaryGroupID attribute (that matches the
PrimaryGroupToken for the group).
3. Since you are using LDAP, I assume you want to include
nested group memberships. The sub EnumGroup is recursive
to handle this.
4. A dictionary object is necessary to prevent an infinite
loop if the group nesting is circular. Also, a user can be
included in the group because the group is their "primary
group", but also because they belong to another group that
has the given group as a member. Again, the dictionary
object prevents such a user from being listed twice.
5. The script as written takes the AdsPath of a group as
the argument and displays all members of the group in a
MsgBox. The script could be modified to output
differently. For example, the MsgBox statement could be
replaced by a Wscript.Echo statement. The output could
then be redirected to a text file.
6. The attached file has been renamed with .txt extension
to prevent blocking by virus software. Rename to .vbs.

Richard

>-----Original Message-----
>Hi Richard,

>Thank you for the prompt reply & explanation.

>Given the structure of our code, I think my best option
>would be to "find all users in the domain
>whose "PrimaryGroupID" matched the "PrimaryGroupToken" of
>the group". I would be very grateful if you could supply
>me with some sample code for this scenario.


>or reply to this email with the code as attachment (this
>might be preferable as it maybe of interest to others in
>the Newsgroup).

>Thanks again.
>Anil.

>>-----Original Message-----

>>>We have an application that basically enumerates groups
>>>within our Active Directory domain.

>>>For some reason, it will not enumerate any members
>within
>>>Domain Users. It has a member count of 0; yet if look
>at
>>>this group from "Active Directory Users and Computers",
>>>it lists several users (some of whom I've explicitly
>>>added).

>>>Am I doing doing something wrong?

>>>Any help / insight would be greatly appreciated.

>>>Thanks,
>>>Anil Patel.
>>>.
>>Hi,

>>A common frustration results because the LDAP provider
>>does NOT reveal membership in the "Primary Group". All
>of
>>your users have "Domain Users" as the primary group.
>This
>>is the default primary group, but can be changed. A few
>>work-arounds:

>>1. Assume that every user is a member of "Domain Users".
>>2. Use the WinNT provider, which does reveal membership
>in
>>the primary group. However, WinNT cannot reveal
>membership
>>in "nested" groups (of universal and global security
>>groups).
>>3. Use the "TokenGroups" attribute of the user. This
>takes
>>more code to use, but this multi-valued attribute is a
>>collection of group SID's. It includes all groups the
>user
>>is a member of, including the primary group and all
>nested
>>groups. Reply to this post if you want code.
>>4. Use the methods in Q321360 and Q297951 to determine
>>primary group membership.

>>For your purpose (enumerating members of a group), if
>#'s
>>1 and 2 above are not options, you would have to
>enumerate
>>the members revealed by LDAP, then find all users in the
>>domain whose "PrimaryGroupID" matched
>>the "PrimaryGroupToken" of the group. Again, reply if
>you
>>want code.

>>Richard
>>.

>.

  EnumGroup.txt
3K Download
 
 
 

Enumerating Domain Users group

Post by Richard Muelle » Thu, 12 Dec 2002 10:28:04


Hi,

When I first replied to your posting, I assumed the task
would not be much different from enumerating all the
groups a given user is a member of. When I tested the
code, however, it was more complex than I expected. It
requires two ADO searches, plus the recursive subroutine.

When I explored the "TokenGroups" method I referred to, I
found it is much worse. "TokenGroups" is great if you are
enumerating the groups a user is a member of. The
collection includes all groups (nested and primary). It
takes work to convert the Byte Arrays, but you only have
to bind to one user, plus each group (to get the group
name).

When you enumerate members of a group, however, I find
that ADO cannot return the "TokenGroups" attribute.
(Someone correct me if I an wrong). Instead, to find all
users with a TokenGroups entry that matches the Sid of the
group in question, you must bind to every user in the
domain. This is not feasible in a large network.

That means that the code I posted previously is the best I
know of to date. It could be greatly simplified if you
don't need nested groups or the primary group, but a
function that claims to enumerate all members of a group
shouldn't have such shortcomings. I would welcome anyone
with better code.

Richard

>-----Original Message-----
>A few notes on the attached code.

>1. The PrimaryGroupToken attribute of the group object is
>not stored in AD, but is calculated. The only way I know
>to force the calculation is to use ADO to find the group
>and return the PrimaryGroupToken attribute.
>2. Although the user attribute PrimaryGroupID is stored
in
>AD, ADO is still the best way to find all users with a
>given PrimaryGroupID attribute (that matches the
>PrimaryGroupToken for the group).
>3. Since you are using LDAP, I assume you want to include
>nested group memberships. The sub EnumGroup is recursive
>to handle this.
>4. A dictionary object is necessary to prevent an
infinite
>loop if the group nesting is circular. Also, a user can
be
>included in the group because the group is their "primary
>group", but also because they belong to another group
that
>has the given group as a member. Again, the dictionary
>object prevents such a user from being listed twice.
>5. The script as written takes the AdsPath of a group as
>the argument and displays all members of the group in a
>MsgBox. The script could be modified to output
>differently. For example, the MsgBox statement could be
>replaced by a Wscript.Echo statement. The output could
>then be redirected to a text file.
>6. The attached file has been renamed with .txt extension
>to prevent blocking by virus software. Rename to .vbs.

>Richard
>>-----Original Message-----
>>Hi Richard,

>>Thank you for the prompt reply & explanation.

>>Given the structure of our code, I think my best option
>>would be to "find all users in the domain
>>whose "PrimaryGroupID" matched the "PrimaryGroupToken"
of
>>the group". I would be very grateful if you could supply
>>me with some sample code for this scenario.


>>or reply to this email with the code as attachment (this
>>might be preferable as it maybe of interest to others in
>>the Newsgroup).

>>Thanks again.
>>Anil.

>>>-----Original Message-----

>>>>We have an application that basically enumerates
groups
>>>>within our Active Directory domain.

>>>>For some reason, it will not enumerate any members
>>within
>>>>Domain Users. It has a member count of 0; yet if look
>>at
>>>>this group from "Active Directory Users and
Computers",
>>>>it lists several users (some of whom I've explicitly
>>>>added).

>>>>Am I doing doing something wrong?

>>>>Any help / insight would be greatly appreciated.

>>>>Thanks,
>>>>Anil Patel.
>>>>.
>>>Hi,

>>>A common frustration results because the LDAP provider
>>>does NOT reveal membership in the "Primary Group". All
>>of
>>>your users have "Domain Users" as the primary group.
>>This
>>>is the default primary group, but can be changed. A few
>>>work-arounds:

>>>1. Assume that every user is a member of "Domain Users".
>>>2. Use the WinNT provider, which does reveal membership
>>in
>>>the primary group. However, WinNT cannot reveal
>>membership
>>>in "nested" groups (of universal and global security
>>>groups).
>>>3. Use the "TokenGroups" attribute of the user. This
>>takes
>>>more code to use, but this multi-valued attribute is a
>>>collection of group SID's. It includes all groups the
>>user
>>>is a member of, including the primary group and all
>>nested
>>>groups. Reply to this post if you want code.
>>>4. Use the methods in Q321360 and Q297951 to determine
>>>primary group membership.

>>>For your purpose (enumerating members of a group), if
>>#'s
>>>1 and 2 above are not options, you would have to
>>enumerate
>>>the members revealed by LDAP, then find all users in
the
>>>domain whose "PrimaryGroupID" matched
>>>the "PrimaryGroupToken" of the group. Again, reply if
>>you
>>>want code.

>>>Richard
>>>.

>>.