Tag Archives: Group Type Flags

Active Directory Friday: Distribution group membership for AD User

To get a list of distribution groups an Active Directory user account is a member of of we can query Active Directory. For example by combining the Get-ADUser and Get-ADGroup cmdlets. To generate this list the following code can be used:

1
2
3
Get-ADUser -Identity JaapBrasser -property memberof |
Select-Object -ExpandProperty memberof | Get-ADGroup |
Where-Object {$_.groupcategory -eq 'Distribution'}

The Get-ADUser cmdlet gets all the groups Jaap Brasser is a member of, the Select-Object cmdlet expands the MemberOf attribute which is then piped into the Get-ADGroup cmdlet. The last step is using the Where-Object cmdlet to filter out only the Distribution groups to get the desired results.

Alternatively the DirectoryServices DirectorySearcher object can be used. This object does not require the Active Directory module to be installed and can run on any version of PowerShell. The following code can be used:

1
2
3
4
5
6
7
8
9
10
$ADSearcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = "(samaccountname=JaapBrasser)"
} | ForEach-Object {
    $_.FindOne().Properties.memberof | ForEach-Object {
        $CurrentGroup = [adsi]"LDAP://$_"
        if (-not ([int](-join $CurrentGroup.Properties.grouptype) -band 0x80000000)) {
            $CurrentGroup.Properties.name
        }
    }
}

This sample works by querying Active Directory for the samaccountname JaapBrasser. Of this user account the distinguishedname of each group object is retrieved. The group type is explained in last weeks post as well, in which I explained about the hex codes which defines whether a group is a Security Group or a Distribution group. The article is available here: Creating Active Directory groups using PowerShell

For more information on this subject please refer to the following links:

Distribution group membership
Get-ADGroup
Get-ADUser
Understanding Groups
2.2.12 Group Type Flags
Creating Active Directory groups using PowerShell
Share

Active Directory Friday: Creating Active Directory groups using PowerShell

Creating a group in Active Directory using PowerShell is relatively simple when using the Active Directory module. To create a Global Distribution Group the following code can be executed:

1
New-ADGroup -Name NewGlobalDG_1 -GroupScope Global -GroupCategory Distribution

When creating a Domain Local Security Group the GroupScope can be changed to DomainLocal and GroupCategory can be omitted since the default is a Security Group:

1
New-ADGroup -Name NewDLSG_1 -GroupScope DomainLocal

Creating groups using the [adsi] provider is a three step process. First we bind to the OU in which the group should be created. Secondly we enter the name and the properties of the group that should be created. And by finally calling the SetInfo() method to create the group. The following code will create a group:

1
2
3
4
5
$TargetOU = [adsi]'LDAP://OU=Groups,DC=jaapbrasser,DC=com'
$Group = $TargetOU.Create('group','cn=System_Operators')
$Group.put('grouptype',0x80000004)
$Group.put('samaccountname','System_Operators')
$Group.SetInfo()

To specify the Group Type a hexadecimal value is required as specified in the following MSDN article: 2.2.12 Group Type Flags. The following table lists all the possible values:

Symbolic name Value
GROUP_TYPE_BUILTIN_LOCAL_GROUP 0x00000001
GROUP_TYPE_ACCOUNT_GROUP 0x00000002
GROUP_TYPE_RESOURCE_GROUP 0x00000004
GROUP_TYPE_UNIVERSAL_GROUP 0x00000008
GROUP_TYPE_APP_BASIC_GROUP 0x00000010
GROUP_TYPE_APP_QUERY_GROUP 0x00000020
GROUP_TYPE_SECURITY_ENABLED 0x80000000

It is important to note that only four values are relevant to us when creating Active Directory accounts:

  • GROUP_TYPE_ACCOUNT_GROUP – 0x00000002
  • GROUP_TYPE_RESOURCE_GROUP – 0x00000004
  • GROUP_TYPE_UNIVERSAL_GROUP – 0x00000008
  • GROUP_TYPE_SECURITY_ENABLED – 0x80000000

To simplify the creation of groups these values can be place in a hashtable:

1
2
3
4
5
6
$GroupType = @{
    Global      = 0x00000002
    DomainLocal = 0x00000004
    Universal   = 0x00000008
    Security    = 0x80000000
}

Using the values stored in the hash table it is now possible to create any of the three group scopes as either a distribution group or security group. The following example uses the -bor operator to combine the values to create a Universal Security Group:

1
2
3
4
5
$TargetOU = [adsi]'LDAP://OU=Groups,DC=jaapbrasser,DC=com'
$Group = $TargetOU.Create('group','cn=Universal_Operators')
$Group.put('grouptype',($GroupType.Universal -bor $GroupType.Security))
$Group.put('samaccountname','Universal_Operators')
$Group.SetInfo()

That is all there is to it, using this methodology it is possible to create any type of Active Directory group using either the Active Directory module or the [adsi] type accelerator. Below I have included some links in regards to this topic.

Creating Active Directory Groups
New-ADGroup
Understanding Groups
2.2.12 Group Type Flags
Share