Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I enumerate all the universal groups in Active Directory?

-- MW

SpacerHey, Scripting Guy! AnswerScript Center

Hey, MW. You know, we’re glad you asked this question. Any time people talk about Active Directory then tend to talk about groups as if Active Directory had only one type of group. It doesn’t. Instead, there are six types of Active Directory groups: global, domain local, and universal security groups; and global, domain local, and universal distribution groups. And it’s important to be able to distinguish between the various types: after all, your ability to perform certain tasks, such as assigning security permissions or adding users to groups, often hinges on the group type.

So how do you list all the universal groups in Active Directory? The best way is by using ADO to conduct a search. The tricky part there is understanding how to search for different group types. Each group object has an attribute named groupType, but group types are not stored by name. Consequently, a query like this, which purports to search for all universal security groups, won’t work:

"SELECT Name FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='group'" & _
        "AND groupType = 'universal security'"

Instead, group types are assigned numbers, and those numbers are stored in the groupType attribute:

Group Type

Value

Global group

2

Domain local group

4

Universal group

8

Security group

-2147483648

To search for all the universal groups, you search for groups that have a groupType value of 8. If you want to search for only universal security groups, then you need to add the value for universal groups to the value for security groups. In other words, 8 + -2147483648, which happens to equal -2147483640. To return a list of all the universal security groups in a domain, you use this query:

"SELECT Name FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='group'" & _
        "AND groupType = -2147483640"

After you understand how to construct the query, the rest of the script is boilerplate: it resembles every other Active Directory search script you’ve ever written. We won’t discuss the details of searching Active Directory today; that goes a bit beyond the scope of this column. But if you’d like to learn more about searching Active Directory, you might take a look at our two-part Tales from the Script series (from April and May, 2005) that covers this very topic in-depth.

Here’s a completed script that returns a list of all the universal security groups found in the fabrikam.com domain:

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

objCommand.CommandText = _
    "SELECT Name FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='group'" & _
        "AND groupType = -2147483640" 
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    Wscript.Echo objRecordSet.Fields("Name").Value
    objRecordSet.MoveNext
Loop