Enumerating Groups by Scope or Type in a Domain

In Windows® 2000 domains, there is single class called group for all group scopes (Domain Local, Global, Universal) and types (security, distribution). The groupType property of the group object specifies the group type and scope.

To use type or scope to enumerate or search for groups on Windows 2000 domains, use a filter that contains a matching rule for the groupType property.

Matching rules have the following syntax:

attibutename:ruleOID:=value

where attributename is the ldapDisplayName of the attribute, ruleOID is the OID for the matching rule, and value is the value to use for comparison. Spaces are not allowed in this string. Also, value must be a decimal number; it cannot be a hexadecimal number or a constant name such as ADS_GROUP_TYPE_SECURITY_ENABLED.

Active Directory supports the two matching rules listed in the following table.

Example Query Strings

The following query string code example searches for security groups. It uses the decimal equivalent of the ADS_GROUP_TYPE_SECURITY_ENABLED flag.

(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648) )

The following query string searches for Universal distribution groups; that is, Universal groups without ADS_GROUP_TYPE_SECURITY_ENABLED flag. The filter uses 8 as the decimal equivalent of ADS_GROUP_TYPE_UNIVERSAL_GROUP, and 2147483656 as the decimal equivalent of ADS_GROUP_TYPE_UNIVERSAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED.

(&(objectCategory=group)((&(groupType:1.2.840.113556.1.4.804:=8)(!(groupType:1.2.840.113556.1.4.803:=2147483656)))) )

The following query string code example searches for all Universal groups — this includes Universal groups that are of type security as well as distribution.

(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=8) )

The following query string code example searches for Universal security groups.

(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656) )