How to search for groups of different type and scope
Searching AD for groups using LDAP can be tricky as it often involves using the groupType attribute, which requires a bitwise filter. Another attribute that can be useful is the sAMAccountType attribute, but you need to be careful as Universal and Global groups share the same values. You should also ensure that you use the Global Catalog when searching for Universal Groups. This blog post provides advice on searching for groups and provides specific examples using AdFind (http://www.joeware.net/win/free/tools/adfind.htm).
The table below shows the information of interest when searching for different types of group. Note that the sAMAccountType attribute may not be unique to the Group Type (see items in red and green bold).
Group Scope | Group Type | groupType attribute | sAMAccountType attribute |
Universal | Distribution | 8 | 268435457 |
Universal | Security | -2147483640 | 268435456 |
Global | Distribution | 2 | 268435457 |
Global | Security | -2147483646 | 268435456 |
Domain Local | Distribution | 4 | 536870913 |
Domain Local | Security | -2147483644 | 536870912 |
The following sections provide advice on how to search for groups together with examples.
Find all groups
LDAP Filter:
(objectcategory=group)
e.g.
adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -f "(objectcategory=group)"
Find all Universal Distribution groups
LDAP Filter:
(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:1.2.840.113556.1.4.804:=8))
e.g.
adfind –gc -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:OR:=8))" 1.1
Find all Universal Security groups
LDAP Filter:
(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=-2147483640))
e.g.
adfind –gc -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:AND:=-2147483640))" 1.1
Find all Universal groups: Distribution and Security
LDAP Filter:
(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=8))
e.g.
adfind -gc -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:OR:=8))" 1.1
Find all Global Distribution groups
LDAP Filter:
(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:1.2.840.113556.1.4.804:=2))
e.g.
adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(sAMAccountType=268435457)(grouptype:OR:=2))" 1.1
Find all Global Security groups
LDAP Filter:
(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=-2147483646))
e.g.
adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:AND:=-2147483646))" 1.1
Find all Global groups: Distribution and Security
LDAP Filter:
(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=2))
e.g.
adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:OR:=2))" 1.1
Find all Domain Local Distribution groups
LDAP Filter:
(&(objectcategory=group)(samaccounttype=536870913))
e.g.
adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -f "(&(objectcategory=group)(sAMAccountType=536870913))" 1.1
Find all Domain Local Security groups
LDAP Filter:
(&(objectcategory=group)(samaccounttype=536870912))
e.g.
adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -f "(&(objectcategory=group)(sAMAccountType=536870912))" 1.1
Find all Domain Local groups: Distribution and Security
LDAP Filter:
(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=4))
e.g.
adfind -b "OU=Groups,DC=colours,DC=com" -s subtree -bit -f "(&(objectcategory=group)(grouptype:OR:=4))" 1.1