How Can I Tell Whether a Group is a Security Group or a Distribution Group?


Hey, Scripting Guy! Question

Hey, Scripting Guy! Is there any way to tell whether an Active Directory group is a security group or a distribution group?

— AW

SpacerHey, Scripting Guy! AnswerScript Center

Hey, AW. As a matter of fact, there is; this script will tell you what type of group you’re dealing with:

Set objGroup = GetObject _
(“LDAP://cn=Finance Managers, ou=Finance, dc=Fabrikam, dc=com”)
Wscript.Echo objGroup.groupType

Pretty easy, huh?


Well, OK, maybe not. The preceding script works just fine, but it reports back a group type like -2147483640 or -2147483646 or maybe even 4. What the heck is going on?


As it turns out, the group type is not stored in Active Directory as a string value; that is, if you echo the value of the groupType attribute you’re not going to get back something like Global distribution group. Instead, you’re going to back one of the following numbers:


























Value


GroupType


2


Global distribution group


4


Domain local distribution group


8


Universal distribution group


-2147483646


Global security group


-2147483644


Domain local security group


-2147483640


Universal security group



In case you’re interested, the values 2, 4, and 8 identify – respectively – global, domain local, and universal groups. The value -2147483648 identifies security groups. To determine the group type you add the first number (2, 4, or 8) to the second number (-2147483648 if the group is a security group, 0 if it’s a distribution group). A domain local distribution group has a value of 4 (4 + 0); a domain local security group has a value of -2147483644 (4 + -2147483648).


But you don’t need to worry about where these numbers come from; all you need to know is which number matches up with which groupType. With that information, you can add a Select Case statement to your script and precisely identify the group type:

Set objGroup = GetObject _
(“LDAP://cn=Finance Managers, ou=Finance, dc=Fabrikam, dc=com”)
Select Case objGroup.GroupType
Case 2
Wscript.Echo “This is a global distribution group.”
Case 4
Wscript.Echo “This is a domain local distribution group.”
Case 8
Wscript.Echo “This is a universal distribution group.”
Case -2147483646
Wscript.Echo “This is a global security group.”
Case -2147483644
Wscript.Echo “This is a domain local security group.”
Case -2147483640
Wscript.Echo “This is a universal security group.”
End Select

If all you care about is whether the group is a security group or a distribution group, then you could simply check to see if the groupType value is less than 0. If it is, then the group has to be a security group. Here’s a script that does that very thing:

Set objGroup = GetObject _
(“LDAP://cn=Finance Managers, ou=Finance, dc=Fabrikam, dc=com”)
If objGroup.groupType < 0 Then
Wscript.Echo “This is a security group.”
Else
Wscript.Echo “This is a distribution group.”
End If

Comments (6)

  1. Perry says:

    I found a group that doesn’t show up in this. The value of -2147483643. Does anyone know what kind of group this is?

  2. Flags to U says:

    PS C:scripts> ‘0x{0:x}’ -f -2147483643
    0x80000005

    http://msdn.microsoft.com/en-us/library/cc223142.aspx

  3. Perry says:

    This value seems to be for these Built In Local Secruity Groups:
    Backup Operators
    Guests
    Remote Desktop Users
    Replicator
    Server Operators

  4. Chris S says:

    I couldn’t get this to work 🙁

    Simply trying the very basic script at the beginning of this article (where it outputs the groups as numbers), and my VBS script fails at the LDAP string. Once I modify the string to have VBS accept it, it says “overflow.”

  5. Louis says:

    Builtin Local, Resource, Security 0x80000005 -2147483643

    These are built in security groups. Leave them alone.

    Here’s a guide, hope it helps explain how it all fits together.

    Builtin Local, Resource, Security 0x80000005 -2147483643
    Account, Security 0x80000002 -2147483646
    Universal, Security 0x80000008 -2147483640
    Universal 0x8 8

    GROUP_TYPE_BUILTIN_LOCAL_GROUP 0x00000001 1
    GROUP_TYPE_ACCOUNT_GROUP 0x00000002 2
    GROUP_TYPE_RESOURCE_GROUP 0x00000004 4
    GROUP_TYPE_UNIVERSAL_GROUP 0x00000008 8
    GROUP_TYPE_APP_BASIC_GROUP (not in AD) 0x00000010 16
    GROUP_TYPE_APP_QUERY_GROUP (not in AD) 0x00000020 32
    GROUP_TYPE_SECURITY_ENABLED 0x80000000 -2147483648

    Global Security Group 0x80000002 -2147483646
    Local Security Group 0x80000004 -2147483644
    BuiltIn Group 0x80000005 -2147483643
    Universal Security Group 0x80000008 -2147483640

    Global Distribution Group 0x00000002 2
    Local Distribution Group 0x00000004 4
    Universal Distribution Group 0x00000008 8

Skip to main content