We have just about finished with users. While I’m thinking about what else we need to do with users we’ll start digging into groups a bit more starting with listing the groups in the domain
## lists the groups in a domain function getgrouptype { param($grouptype) $gt = New-Object -TypeName PSObject -Property @{ GroupCategory = "" GroupScope = "" } switch($grouptype){ 2 { $gt.GroupCategory = "Distribution" $gt.GroupScope = "Global" } 4 { $gt.GroupCategory = "Distribution" $gt.GroupScope = "DomainLocal" } 8 { $gt.GroupCategory = "Distribution" $gt.GroupScope = "Universal" } -2147483646 { $gt.GroupCategory = "Security" $gt.GroupScope = "Global" } -2147483644 { $gt.GroupCategory = "Security" $gt.GroupScope = "DomainLocal" } -2147483643 { $gt.GroupCategory = "Security" $gt.GroupScope = "BuiltinLocal" } -2147483640 { $gt.GroupCategory = "Security" $gt.GroupScope = "Universal" } default {Throw "Error - Unrecognised group type"} } $gt } "`nMicrosoft" Get-ADGroup -Filter * | Format-Table Name, DistinguishedName, GroupCategory, GroupScope "`nAD provider" $root = [ADSI]"" Get-ChildItem -Filter "(objectclass=group)" -Path Ad:\"$($root.distinguishedname)" -Recurse | foreach { $group = [adsi]"LDAP://$($_.DistinguishedName)" $gt = getgrouptype $($group.GroupType) New-Object -TypeName PSObject -Property @{ Name = $($group.Name) DistinguishedName = $($group.DistinguishedName) GroupCategory = $($gt.GroupCategory) GroupScope = $($gt.GroupScope) } } | Format-Table Name, DistinguishedName, GroupCategory, GroupScope "`nQuest" Get-QADGroup | Format-Table Name, DN, GroupType, GroupScope "`nScript" $root = [ADSI]"" $search = [adsisearcher]$root $search.Filter = "(objectclass=group)" $search.SizeLimit = 3000 $search.FindAll() | foreach { $group = $_.GetDirectoryEntry() $gt = getgrouptype $($group.GroupType) New-Object -TypeName PSObject -Property @{ Name = $($group.Name) DistinguishedName = $($group.DistinguishedName) GroupCategory = $($gt.GroupCategory) GroupScope = $($gt.GroupScope) } } | Format-Table Name, DistinguishedName, GroupCategory, GroupScope
The function getgrouptype is used to decipher the grouptype property on the group object. I’ve pre-calculated the values for various types of groups – security & distribution – global, domain local and universal. The one that may appear odd is the BuiltinLocal security group – look at the properties for the groups in the Builtin container such as Administrators & you will see examples
The Microsoft and Quest cmdlets both misreport these as DomainLocal
The cmdlets are identical apart from the way distinguished name and group category (type) are named.
The script and provider both search for all groups and for each get a directory entry, decipher the grouptype attribute and output the result
By: wayne on January 2, 2014 at 6:44 pm
What’s Get-QADGroup?
By: RichardSiddaway on January 17, 2014 at 3:29 am
Its the Quest AD cmdlet for working with groups – equivalent of Microsoft’s Get-ADGroup