Get all groups

We have just about finished with users. While I’m thinking about what else we need to do with users we’ll start digging into groups a bit more starting with listing the groups in the domain

## lists the groups in a domain            
function getgrouptype {            
param($grouptype)            
            
$gt = New-Object -TypeName PSObject -Property @{            
  GroupCategory = ""            
  GroupScope = ""            
}            
            
 switch($grouptype){            
   2  {            
         $gt.GroupCategory = "Distribution"            
         $gt.GroupScope = "Global"            
      }            
   4  {            
         $gt.GroupCategory = "Distribution"            
         $gt.GroupScope = "DomainLocal"            
      }             
   8  {            
         $gt.GroupCategory = "Distribution"            
         $gt.GroupScope = "Universal"            
      }             
   -2147483646  {            
         $gt.GroupCategory = "Security"            
         $gt.GroupScope = "Global"            
      }            
   -2147483644  {            
         $gt.GroupCategory = "Security"            
         $gt.GroupScope = "DomainLocal"            
      }            
   -2147483643   {            
         $gt.GroupCategory = "Security"            
         $gt.GroupScope = "BuiltinLocal"            
      }            
   -2147483640  {            
         $gt.GroupCategory = "Security"            
         $gt.GroupScope = "Universal"            
      }             
  default {Throw "Error - Unrecognised group type"}            
             
 }            
             
$gt             
            
}            
            
"`nMicrosoft"            
Get-ADGroup -Filter * |             
Format-Table Name, DistinguishedName, GroupCategory, GroupScope            
            
"`nAD provider"            
$root = [ADSI]""            
Get-ChildItem -Filter "(objectclass=group)" -Path Ad:\"$($root.distinguishedname)" -Recurse |            
foreach {             
            
 $group = [adsi]"LDAP://$($_.DistinguishedName)"            
             
 $gt = getgrouptype $($group.GroupType)             
             
 New-Object -TypeName PSObject -Property @{            
   Name = $($group.Name)            
   DistinguishedName = $($group.DistinguishedName)            
   GroupCategory = $($gt.GroupCategory)            
   GroupScope = $($gt.GroupScope)            
 }            
            
} | Format-Table Name, DistinguishedName, GroupCategory, GroupScope            
            
"`nQuest"            
Get-QADGroup  |             
Format-Table Name, DN, GroupType, GroupScope            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(objectclass=group)"            
$search.SizeLimit = 3000            
$search.FindAll() |            
foreach {            
 $group = $_.GetDirectoryEntry()             
            
 $gt = getgrouptype $($group.GroupType)             
  New-Object -TypeName PSObject -Property @{            
    Name = $($group.Name)            
    DistinguishedName = $($group.DistinguishedName)            
    GroupCategory = $($gt.GroupCategory)            
    GroupScope = $($gt.GroupScope)            
  }            
              
} | Format-Table Name, DistinguishedName, GroupCategory, GroupScope


The function getgrouptype is used to decipher the grouptype property on the group object. I’ve pre-calculated the values for various types of groups – security & distribution – global, domain local and universal.  The one that may appear odd is the BuiltinLocal security group – look at the properties for the groups in the Builtin container such as Administrators & you will see examples



The Microsoft and Quest cmdlets both misreport these as DomainLocal



The cmdlets are identical apart from the way distinguished name and group category (type) are named.



The script and provider both search for all groups and for each get a directory entry, decipher the grouptype attribute and output the result

2 Responses to Get all groups

Leave a Reply