Get all groups

We have just about finished with users. While I’m thinking about what else we need to do with users we’ll start digging into groups a bit more starting with listing the groups in the domain

## lists the groups in a domain            
function getgrouptype {            
param($grouptype)            
            
$gt = New-Object -TypeName PSObject -Property @{            
  GroupCategory = ""            
  GroupScope = ""            
}            
            
 switch($grouptype){            
   2  {            
         $gt.GroupCategory = "Distribution"            
         $gt.GroupScope = "Global"            
      }            
   4  {            
         $gt.GroupCategory = "Distribution"            
         $gt.GroupScope = "DomainLocal"            
      }             
   8  {            
         $gt.GroupCategory = "Distribution"            
         $gt.GroupScope = "Universal"            
      }             
   -2147483646  {            
         $gt.GroupCategory = "Security"            
         $gt.GroupScope = "Global"            
      }            
   -2147483644  {            
         $gt.GroupCategory = "Security"            
         $gt.GroupScope = "DomainLocal"            
      }            
   -2147483643   {            
         $gt.GroupCategory = "Security"            
         $gt.GroupScope = "BuiltinLocal"            
      }            
   -2147483640  {            
         $gt.GroupCategory = "Security"            
         $gt.GroupScope = "Universal"            
      }             
  default {Throw "Error - Unrecognised group type"}            
             
 }            
             
$gt             
            
}            
            
"`nMicrosoft"            
Get-ADGroup -Filter * |             
Format-Table Name, DistinguishedName, GroupCategory, GroupScope            
            
"`nAD provider"            
$root = [ADSI]""            
Get-ChildItem -Filter "(objectclass=group)" -Path Ad:\"$($root.distinguishedname)" -Recurse |            
foreach {             
            
 $group = [adsi]"LDAP://$($_.DistinguishedName)"            
             
 $gt = getgrouptype $($group.GroupType)             
             
 New-Object -TypeName PSObject -Property @{            
   Name = $($group.Name)            
   DistinguishedName = $($group.DistinguishedName)            
   GroupCategory = $($gt.GroupCategory)            
   GroupScope = $($gt.GroupScope)            
 }            
            
} | Format-Table Name, DistinguishedName, GroupCategory, GroupScope            
            
"`nQuest"            
Get-QADGroup  |             
Format-Table Name, DN, GroupType, GroupScope            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(objectclass=group)"            
$search.SizeLimit = 3000            
$search.FindAll() |            
foreach {            
 $group = $_.GetDirectoryEntry()             
            
 $gt = getgrouptype $($group.GroupType)             
  New-Object -TypeName PSObject -Property @{            
    Name = $($group.Name)            
    DistinguishedName = $($group.DistinguishedName)            
    GroupCategory = $($gt.GroupCategory)            
    GroupScope = $($gt.GroupScope)            
  }            
              
} | Format-Table Name, DistinguishedName, GroupCategory, GroupScope

The function getgrouptype is used to decipher the grouptype property on the group object. I’ve pre-calculated the values for various types of groups – security & distribution – global, domain local and universal.  The one that may appear odd is the BuiltinLocal security group – look at the properties for the groups in the Builtin container such as Administrators & you will see examples

The Microsoft and Quest cmdlets both misreport these as DomainLocal

The cmdlets are identical apart from the way distinguished name and group category (type) are named.

The script and provider both search for all groups and for each get a directory entry, decipher the grouptype attribute and output the result

Advertisements
This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s