How Can I Tell Whether a Group is a Security Group or a Distribution Group?
Hey, Scripting Guy! Is there any way to tell whether an Active Directory group is a security group or a distribution group?
— AW
Hey, AW. As a matter of fact, there is; this script will tell you what type of group you’re dealing with:
Set objGroup = GetObject _
(“LDAP://cn=Finance Managers, ou=Finance, dc=Fabrikam, dc=com”)
Wscript.Echo objGroup.groupType
Pretty easy, huh?
Well, OK, maybe not. The preceding script works just fine, but it reports back a group type like -2147483640 or -2147483646 or maybe even 4. What the heck is going on?
As it turns out, the group type is not stored in Active Directory as a string value; that is, if you echo the value of the groupType attribute you’re not going to get back something like Global distribution group. Instead, you’re going to back one of the following numbers:
|
Value |
GroupType |
|
2 |
Global distribution group |
|
4 |
Domain local distribution group |
|
8 |
Universal distribution group |
|
-2147483646 |
Global security group |
|
-2147483644 |
Domain local security group |
|
-2147483640 |
Universal security group |
In case you’re interested, the values 2, 4, and 8 identify – respectively – global, domain local, and universal groups. The value -2147483648 identifies security groups. To determine the group type you add the first number (2, 4, or 8) to the second number (-2147483648 if the group is a security group, 0 if it’s a distribution group). A domain local distribution group has a value of 4 (4 + 0); a domain local security group has a value of -2147483644 (4 + -2147483648).
But you don’t need to worry about where these numbers come from; all you need to know is which number matches up with which groupType. With that information, you can add a Select Case statement to your script and precisely identify the group type:
Set objGroup = GetObject _
(“LDAP://cn=Finance Managers, ou=Finance, dc=Fabrikam, dc=com”)
Select Case objGroup.GroupType
Case 2
Wscript.Echo “This is a global distribution group.”
Case 4
Wscript.Echo “This is a domain local distribution group.”
Case 8
Wscript.Echo “This is a universal distribution group.”
Case -2147483646
Wscript.Echo “This is a global security group.”
Case -2147483644
Wscript.Echo “This is a domain local security group.”
Case -2147483640
Wscript.Echo “This is a universal security group.”
End Select
If all you care about is whether the group is a security group or a distribution group, then you could simply check to see if the groupType value is less than 0. If it is, then the group has to be a security group. Here’s a script that does that very thing:
Set objGroup = GetObject _
(“LDAP://cn=Finance Managers, ou=Finance, dc=Fabrikam, dc=com”)
If objGroup.groupType < 0 Then
Wscript.Echo “This is a security group.”
Else
Wscript.Echo “This is a distribution group.”
End If
Light
Dark
0 comments