Tuesday, June 8, 2010

Identifying Active Directory Primary Group Membership

I ran across what I thought was an interesting question on serverfault.com: Delete a windows group in Active Directory. No one had posted any answer / comment to it and since I was curious what the answer was, I put one together.

As a side, serverfault.com (superuser.com, and stackoverflow.com too) is not just a great place to ask relevant questions looking for help, but also to read questions that have been answered in order to advance one's knowledge. A good question there is just as valuable as a good answer - so don't be afraid to ask either!

Active Directory allows for a User's primary group to be changed from "Domain Users". This is great if you have applications that need / benefit from it, but how can you get a list of users that have their Primary Group membership set to a particular group? The built-in AD searches do not provide a "Primary Group = xyz" drop down.

You have to be willing to get your hands just a little bit dirty to accomplish a list of users that have their primary group specifically set. Active Directory is of course based on LDAP, as such AD users are objects and objects have attributes and attributes have values. The key attributes and associated values that need to be examined are 1) primaryGroupToken in the Group object, and 2) primaryGroupID in the User object.

Using adsiedit, find the Group in question and examine its properties to find the primaryGroupToken and make note of its numeric value. This is key for later when we search for user objects that have this value for their primaryGroupID attribute's value.

In Active Directory Users and Computers, right-click Saved Queries, and select New, Query. Give your query a Name: "Users-Primary-Group-Is-XYZ", and a Description. Set the Query root to a reasonable OU in your directory structure and click Define Query.

In order to enter a custom ldap query, change the Find drop down to Custom Search, and click on the Advanced tab. The fairly simple query I created is as follows where XXX=the value of primaryGroupToken found earlier:


Click OK, highlite your query in the Saved Queries Navigation folder and click the Refresh icon in the toolbar to get your results!

Stumble Upon Toolbar

1 comment:

dejuid00 said...

Just a quick note for non-ADSI Edit people... you need to add the Constructed read-only attribute via the Filter button to see primaryGroupToken. Anyway Jeff, thanks for the article - exactly what I was looking for (a search of all users rather than just getting the PG of a single user)!