Get Groupname from Group ID?
wilt...@gmail.com
I have the group ID (513 for example) and from that, I need to get the
group name... Difficulty degree: It needs to be in the form of an LDAP
query -- any thoughts? :)
JTW
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330
https://www.microsoft.com/technet/scriptcenter/guide/sas_ads_dfod.mspx?m
fr=true
--
Richard Mueller
<wilt...@gmail.com> wrote in message
news:1146167820.5...@g10g2000cwb.googlegroups.com...
Hi,
513 is the value of the primaryGroupToken attribute for the group "Domain
Users". An LDAP query to retrieve the group name could be:
(&(objectCategory=group)(primaryGroupToken=513))
However, primaryGroupToken is a constructed attribute, so the query will
fail. You can use ADO to code a VBScript program to retrieve the
primaryGroupToken (and sAMAcountName) for all groups, then output the name
of the one with the desired value for primaryGroupToken. For information on
using ADO in VBScript see this link:
http://www.rlmueller.net/ADOSearchTips.htm
In this case, use:
strFilter = "(objectCategory=group)"
strAttributes = "sAMAccountName,primaryGroupToken"
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
wilt...@gmail.com
it showed how it got the PrimaryGroupID of a user -- that's what I
have. From there, I then need to, programmatically, get a group name
from that number since we have an extensive number of groups.
When I pull the LDAP information for a group object, it doesn't list
this ID, but there is this field:
[9] => objectguid
[objectsid] => Array
(
[count] => 1
[0] =>
)
Which doesn't help much either.... Any further thoughts?
wilt...@gmail.com
So that wouldn't work? I need to find strictly an LDAP solution to
solve my current dillemma -- the above would be a perfect solution, but
if there's not a way to pull something or view the primaryGroupToken of
a group through an LDAP query, I suppose I'm kind of on the bad side of
things, here.
Thanks for the responses -- they're greatly appreciated.
JTW
getting a group ID that is not listed in the "Well-known security
identifiers in Windows operating systems" document?
--
wilt...@gmail.com
getting a group ID that is not listed in the "Well-known security
identifiers in Windows operating systems" document?
Correct -- we have about 30 different groups that we've created for
organizational purposes... we need to get the group name based off of
the id we get from the primargroupid attribute of a user object.
JTW
object. I've included a very inefficient script to return the LDAP
path of the group (you can switch it to return the name property).
Obviously in a large script, you will want to only obtain the recordset
of group information once, and perform the find filtering as needed.
Is this what you are looking for?
On Error Resume Next
Set objOU = GetObject("LDAP://cn=Users,dc=dx21,dc=lab")
ObjOU.Filter= Array("user")
For Each objUser in objOU
WScript.Echo objUser.cn
WScript.Echo objUser.Get("primaryGroupID")
WScript.Echo FindGroup(objUser.Get("PrimaryGroupID"))
Next
Function FindGroup(gID)
Const ADS_SCOPE_BASE = 0
Const ADS_SCOPE_ONELEVEL = 1
Const ADS_SCOPE_SUBTREE = 2
Dim objCon, objCmd, objRDSE, objRS
Set objCon = CreateObject("ADODB.Connection")
Set objCmd = CreateObject("ADODB.Command")
Set objRDSE = GetObject("LDAP://RootDSE")
With objCon
.Provider = "ADsDSOObject"
.Open
End With
Set objCmd.ActiveConnection = objCon
With objCmd
.Properties("Page Size") = 1000
.Properties("Timeout") = 90
.Properties("SearchScope") = ADS_SCOPE_SUBTREE
.CommandText = "<LDAP://" & objRDSE.Get("defaultNamingContext") &
">;(objectClass=group);name,primaryGroupToken,ADsPath"
Set objRS = .Execute
End With
objRS.Find "primaryGroupToken=" & gID
If objRS.EOF Then FindGroup = "" Else FindGroup = objRS("ADsPath")
objRS.Close
objCon.Close
Set objRS = Nothing
Set objCmd = Nothing
Set objCon = Nothing
Set objRDSE = Nothing
End Function
wilt...@gmail.com
I really appreciate the help -- while that would probably work under
normal circumstances, I'm in a unique position. I'm actually pulling
the object information through LDAP via a PHP script, then enqueing
actions to be run on our domain controller. So, I hoping (praying)
that the group id token would be available in plain text somewhere in
the group object, or anywhere for that matter -- as long as it
referenced the name.
I think I'm SOL here. :) Thanks again -- this kinda ties into our
issue with an LDAP query not displaying a person as a member of a group
if it's their Primary Group. Bleh -- gonna be a hellish next week.
Richard Mueller
<wilt...@gmail.com> wrote in message
news:1146172440.6...@e56g2000cwe.googlegroups.com...
Hi,
You would think it would work, but I tried and it did not. I'm sure it's
because primaryGroupToken is a constructed attribute. This is also known as
an operational attribute, which means the value is not actually stored in
AD, but is calculated by the DC when requested. You have to kick the DC to
do this, for example with the GetInfoEx method. ADO conveniently forces the
DC to calculate the values. This does not help in an LDAP query. The same
applies to other operational attributes, like tokenGroups, canonicalName,
allowedAttributes, and createTimeStamp. Fortunately, there are not many.
Sorry.