| Author |
Message |
Sharon
Guest
|
 Posted:
Sun Jan 16, 2005 2:39 am Post subject:
How to get users of a group |
|
|
Hi to all.
I need to get all users that are members of a group.
Problem is, looking at the properties of a group object, i can not find
members collection:
memberOf: CN=Users,CN=Builtin
cn: Domain Users
description: All domain users
groupType: -2147483646
instanceType: 4
isCriticalSystemObject: True
nTSecurityDescriptor: System.__ComObject
distinguishedName: CN=Domain Users,CN=Users
objectCategory: CN=Group,CN=Schema,CN=Configuration
objectClass: System.Object[]
objectGUID: System.Byte[]
objectSid: System.Byte[]
name: Domain Users
sAMAccountName: Domain Users
sAMAccountType: 268435456
uSNChanged: System.__ComObject
uSNCreated: System.__ComObject
whenChanged: 1/10/2005 14:18:16
whenCreated: 1/10/2005 14:18:16
Thanks, Sharon. |
|
| Back to top |
|
 |
Joe Kaplan (MVP - ADSI)
Guest
|
| Posted:
Sun Jan 16, 2005 4:39 am Post subject:
Re: How to get users of a group |
|
|
The Builtin Users group and Domain Users group do not generally have members
in the member attribute like a normal group. Domain Users is typically used
as a primary group, so the members of it will have their primaryGroupID
attribute set to the RID of the group.
I'm not exactly sure how the builtin domain group is used these days, but it
is added to the security token for a user by the DC. Maybe Dmitri or
someone can elaborate.
Joe K.
"Sharon" <sharon@void.null> wrote in message
news:OAexaJ0%23EHA.3260@TK2MSFTNGP14.phx.gbl...
| Quote: | Hi to all.
I need to get all users that are members of a group.
Problem is, looking at the properties of a group object, i can not find
members collection:
memberOf: CN=Users,CN=Builtin
cn: Domain Users
description: All domain users
groupType: -2147483646
instanceType: 4
isCriticalSystemObject: True
nTSecurityDescriptor: System.__ComObject
distinguishedName: CN=Domain Users,CN=Users
objectCategory: CN=Group,CN=Schema,CN=Configuration
objectClass: System.Object[]
objectGUID: System.Byte[]
objectSid: System.Byte[]
name: Domain Users
sAMAccountName: Domain Users
sAMAccountType: 268435456
uSNChanged: System.__ComObject
uSNCreated: System.__ComObject
whenChanged: 1/10/2005 14:18:16
whenCreated: 1/10/2005 14:18:16
Thanks, Sharon.
|
|
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted:
Sun Jan 16, 2005 11:55 am Post subject:
Re: How to get users of a group |
|
|
The builtin Users group should have domain users, interactive, and authenticated
users in the member attribute. interactive and auth users will obviously be FSP's.
You are 1000% correct on domain users membership of course. If you see anyone in
that members attribute it is usually someone who is a domain admin because the
primary group got changed from domain users to domain admins.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Joe Kaplan (MVP - ADSI) wrote:
| Quote: | The Builtin Users group and Domain Users group do not generally have members
in the member attribute like a normal group. Domain Users is typically used
as a primary group, so the members of it will have their primaryGroupID
attribute set to the RID of the group.
I'm not exactly sure how the builtin domain group is used these days, but it
is added to the security token for a user by the DC. Maybe Dmitri or
someone can elaborate.
Joe K.
"Sharon" <sharon@void.null> wrote in message
news:OAexaJ0%23EHA.3260@TK2MSFTNGP14.phx.gbl...
Hi to all.
I need to get all users that are members of a group.
Problem is, looking at the properties of a group object, i can not find
members collection:
memberOf: CN=Users,CN=Builtin
cn: Domain Users
description: All domain users
groupType: -2147483646
instanceType: 4
isCriticalSystemObject: True
nTSecurityDescriptor: System.__ComObject
distinguishedName: CN=Domain Users,CN=Users
objectCategory: CN=Group,CN=Schema,CN=Configuration
objectClass: System.Object[]
objectGUID: System.Byte[]
objectSid: System.Byte[]
name: Domain Users
sAMAccountName: Domain Users
sAMAccountType: 268435456
uSNChanged: System.__ComObject
uSNCreated: System.__ComObject
whenChanged: 1/10/2005 14:18:16
whenCreated: 1/10/2005 14:18:16
Thanks, Sharon.
|
|
|
| Back to top |
|
|
Joe Kaplan (MVP - ADSI)
Guest
|
| Posted:
Sun Jan 16, 2005 8:00 pm Post subject:
Re: How to get users of a group |
|
|
Do you know if the Builtin Users group loses the Domain Users member by
default on Win2K3 native AD? I was just poking around with our domains and
noticed it isn't there.
A few weeks ago I notice that tokenGroups no longer had the built-in domain
SIDs in it and I figured this was some sort of magic new feature in 2K3, but
obviously it is working in a predictable way. I'm just trying to figure out
when the group membership changed and can only think it would be when we
switched to native mode 2K3.
Joe K.
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:%23Goyo$4%23EHA.2572@tk2msftngp13.phx.gbl...
| Quote: | The builtin Users group should have domain users, interactive, and
authenticated users in the member attribute. interactive and auth users
will obviously be FSP's.
You are 1000% correct on domain users membership of course. If you see
anyone in that members attribute it is usually someone who is a domain
admin because the primary group got changed from domain users to domain
admins.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Joe Kaplan (MVP - ADSI) wrote:
The Builtin Users group and Domain Users group do not generally have
members in the member attribute like a normal group. Domain Users is
typically used as a primary group, so the members of it will have their
primaryGroupID attribute set to the RID of the group.
I'm not exactly sure how the builtin domain group is used these days, but
it is added to the security token for a user by the DC. Maybe Dmitri or
someone can elaborate.
Joe K.
"Sharon" <sharon@void.null> wrote in message
news:OAexaJ0%23EHA.3260@TK2MSFTNGP14.phx.gbl...
Hi to all.
I need to get all users that are members of a group.
Problem is, looking at the properties of a group object, i can not find
members collection:
memberOf: CN=Users,CN=Builtin
cn: Domain Users
description: All domain users
groupType: -2147483646
instanceType: 4
isCriticalSystemObject: True
nTSecurityDescriptor: System.__ComObject
distinguishedName: CN=Domain Users,CN=Users
objectCategory: CN=Group,CN=Schema,CN=Configuration
objectClass: System.Object[]
objectGUID: System.Byte[]
objectSid: System.Byte[]
name: Domain Users
sAMAccountName: Domain Users
sAMAccountType: 268435456
uSNChanged: System.__ComObject
uSNCreated: System.__ComObject
whenChanged: 1/10/2005 14:18:16
whenCreated: 1/10/2005 14:18:16
Thanks, Sharon.
|
|
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted:
Mon Jan 17, 2005 12:18 am Post subject:
Re: How to get users of a group |
|
|
Both of my native mode K3 Domains I currently have up and running both have
domain users in users... Not sure what is going on there for you Joe.
I would be curious what your token looks like on a domain controller (that is
the only place not being in the builtin users group would impact you).
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Joe Kaplan (MVP - ADSI) wrote:
| Quote: | Do you know if the Builtin Users group loses the Domain Users member by
default on Win2K3 native AD? I was just poking around with our domains and
noticed it isn't there.
A few weeks ago I notice that tokenGroups no longer had the built-in domain
SIDs in it and I figured this was some sort of magic new feature in 2K3, but
obviously it is working in a predictable way. I'm just trying to figure out
when the group membership changed and can only think it would be when we
switched to native mode 2K3.
Joe K.
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:%23Goyo$4%23EHA.2572@tk2msftngp13.phx.gbl...
The builtin Users group should have domain users, interactive, and
authenticated users in the member attribute. interactive and auth users
will obviously be FSP's.
You are 1000% correct on domain users membership of course. If you see
anyone in that members attribute it is usually someone who is a domain
admin because the primary group got changed from domain users to domain
admins.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Joe Kaplan (MVP - ADSI) wrote:
The Builtin Users group and Domain Users group do not generally have
members in the member attribute like a normal group. Domain Users is
typically used as a primary group, so the members of it will have their
primaryGroupID attribute set to the RID of the group.
I'm not exactly sure how the builtin domain group is used these days, but
it is added to the security token for a user by the DC. Maybe Dmitri or
someone can elaborate.
Joe K.
"Sharon" <sharon@void.null> wrote in message
news:OAexaJ0%23EHA.3260@TK2MSFTNGP14.phx.gbl...
Hi to all.
I need to get all users that are members of a group.
Problem is, looking at the properties of a group object, i can not find
members collection:
memberOf: CN=Users,CN=Builtin
cn: Domain Users
description: All domain users
groupType: -2147483646
instanceType: 4
isCriticalSystemObject: True
nTSecurityDescriptor: System.__ComObject
distinguishedName: CN=Domain Users,CN=Users
objectCategory: CN=Group,CN=Schema,CN=Configuration
objectClass: System.Object[]
objectGUID: System.Byte[]
objectSid: System.Byte[]
name: Domain Users
sAMAccountName: Domain Users
sAMAccountType: 268435456
uSNChanged: System.__ComObject
uSNCreated: System.__ComObject
whenChanged: 1/10/2005 14:18:16
whenCreated: 1/10/2005 14:18:16
Thanks, Sharon.
|
|
|
| Back to top |
|
|
Joe Kaplan (MVP - ADSI)
Guest
|
| Posted:
Mon Jan 17, 2005 8:38 am Post subject:
Re: How to get users of a group |
|
|
The token definitely is missing BUILTIN\Users. I noticed pretty soon after
we rolled out 2K3. I originally thought tokenGroups was constructed
differently under 2K3 as I had never noticed that Domain Users was in Users.
We'll look into it for sure. The only people accessing our DCs are the
Domain Admins, so I'm not sure if they would have noticed anything.
Thanks,
Joe K.
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:%23dy99AC$EHA.2196@TK2MSFTNGP14.phx.gbl...
| Quote: | Both of my native mode K3 Domains I currently have up and running both
have domain users in users... Not sure what is going on there for you Joe.
I would be curious what your token looks like on a domain controller (that
is the only place not being in the builtin users group would impact you).
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Joe Kaplan (MVP - ADSI) wrote:
Do you know if the Builtin Users group loses the Domain Users member by
default on Win2K3 native AD? I was just poking around with our domains
and noticed it isn't there.
A few weeks ago I notice that tokenGroups no longer had the built-in
domain SIDs in it and I figured this was some sort of magic new feature
in 2K3, but obviously it is working in a predictable way. I'm just
trying to figure out when the group membership changed and can only think
it would be when we switched to native mode 2K3.
Joe K.
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:%23Goyo$4%23EHA.2572@tk2msftngp13.phx.gbl...
The builtin Users group should have domain users, interactive, and
authenticated users in the member attribute. interactive and auth users
will obviously be FSP's.
You are 1000% correct on domain users membership of course. If you see
anyone in that members attribute it is usually someone who is a domain
admin because the primary group got changed from domain users to domain
admins.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Joe Kaplan (MVP - ADSI) wrote:
The Builtin Users group and Domain Users group do not generally have
members in the member attribute like a normal group. Domain Users is
typically used as a primary group, so the members of it will have their
primaryGroupID attribute set to the RID of the group.
I'm not exactly sure how the builtin domain group is used these days,
but it is added to the security token for a user by the DC. Maybe
Dmitri or someone can elaborate.
Joe K.
"Sharon" <sharon@void.null> wrote in message
news:OAexaJ0%23EHA.3260@TK2MSFTNGP14.phx.gbl...
Hi to all.
I need to get all users that are members of a group.
Problem is, looking at the properties of a group object, i can not find
members collection:
memberOf: CN=Users,CN=Builtin
cn: Domain Users
description: All domain users
groupType: -2147483646
instanceType: 4
isCriticalSystemObject: True
nTSecurityDescriptor: System.__ComObject
distinguishedName: CN=Domain Users,CN=Users
objectCategory: CN=Group,CN=Schema,CN=Configuration
objectClass: System.Object[]
objectGUID: System.Byte[]
objectSid: System.Byte[]
name: Domain Users
sAMAccountName: Domain Users
sAMAccountType: 268435456
uSNChanged: System.__ComObject
uSNCreated: System.__ComObject
whenChanged: 1/10/2005 14:18:16
whenCreated: 1/10/2005 14:18:16
Thanks, Sharon.
|
|
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted:
Mon Jan 17, 2005 6:13 pm Post subject:
Re: How to get users of a group |
|
|
This is incorrect. It does have the attribute. Whether or not it is populated
depends on if anyone is in the group that doesn't have the group as the primary
group. Say like a domain admin or a company that uses different primary groups
for UNIX or Apple apps.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Sharon wrote:
| Quote: | As you can see in the attributes list, Domain Users group does not have a
members attribute at all.
I'll try a normal group.
Thanks, Sharon.
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:Or2NVM1%23EHA.1300@TK2MSFTNGP14.phx.gbl...
The Builtin Users group and Domain Users group do not generally have
members
in the member attribute like a normal group. Domain Users is typically
used
as a primary group, so the members of it will have their primaryGroupID
attribute set to the RID of the group.
I'm not exactly sure how the builtin domain group is used these days, but
it
is added to the security token for a user by the DC. Maybe Dmitri or
someone can elaborate.
Joe K.
"Sharon" <sharon@void.null> wrote in message
news:OAexaJ0%23EHA.3260@TK2MSFTNGP14.phx.gbl...
Hi to all.
I need to get all users that are members of a group.
Problem is, looking at the properties of a group object, i can not find
members collection:
memberOf: CN=Users,CN=Builtin
cn: Domain Users
description: All domain users
groupType: -2147483646
instanceType: 4
isCriticalSystemObject: True
nTSecurityDescriptor: System.__ComObject
distinguishedName: CN=Domain Users,CN=Users
objectCategory: CN=Group,CN=Schema,CN=Configuration
objectClass: System.Object[]
objectGUID: System.Byte[]
objectSid: System.Byte[]
name: Domain Users
sAMAccountName: Domain Users
sAMAccountType: 268435456
uSNChanged: System.__ComObject
uSNCreated: System.__ComObject
whenChanged: 1/10/2005 14:18:16
whenCreated: 1/10/2005 14:18:16
Thanks, Sharon.
|
|
|
| Back to top |
|
|
Sharon
Guest
|
| Posted:
Mon Jan 17, 2005 6:13 pm Post subject:
Re: How to get users of a group |
|
|
As you can see in the attributes list, Domain Users group does not have a
members attribute at all.
I'll try a normal group.
Thanks, Sharon.
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:Or2NVM1%23EHA.1300@TK2MSFTNGP14.phx.gbl...
| Quote: | The Builtin Users group and Domain Users group do not generally have
members
in the member attribute like a normal group. Domain Users is typically
used
as a primary group, so the members of it will have their primaryGroupID
attribute set to the RID of the group.
I'm not exactly sure how the builtin domain group is used these days, but
it
is added to the security token for a user by the DC. Maybe Dmitri or
someone can elaborate.
Joe K.
"Sharon" <sharon@void.null> wrote in message
news:OAexaJ0%23EHA.3260@TK2MSFTNGP14.phx.gbl...
Hi to all.
I need to get all users that are members of a group.
Problem is, looking at the properties of a group object, i can not find
members collection:
memberOf: CN=Users,CN=Builtin
cn: Domain Users
description: All domain users
groupType: -2147483646
instanceType: 4
isCriticalSystemObject: True
nTSecurityDescriptor: System.__ComObject
distinguishedName: CN=Domain Users,CN=Users
objectCategory: CN=Group,CN=Schema,CN=Configuration
objectClass: System.Object[]
objectGUID: System.Byte[]
objectSid: System.Byte[]
name: Domain Users
sAMAccountName: Domain Users
sAMAccountType: 268435456
uSNChanged: System.__ComObject
uSNCreated: System.__ComObject
whenChanged: 1/10/2005 14:18:16
whenCreated: 1/10/2005 14:18:16
Thanks, Sharon.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in