Enumerating Groups on Member Servers and Windows 2000 Professional

On member servers and computers running on Windows 2000 Professional, you can enumerate all local groups.

Only local groups can be created on member servers and Windows 2000 Professional. However, those machine local groups can contain:

• Universal and Global groups from the forest that contains the domain to which the computer is a member.
• Domain local groups from that computer's domain.
• Users from any domain in the forest.

To enumerate the machine local groups on a member server or computer running Windows 2000 Professional

1. Bind to the computer using the following rules:
   1. Use an account that has rights to access that computer.
   2. Use the following binding string format using the WinNT provider, computer name, and an extra parameter to instruct ADSI that it is binding to a computer:

      WinNT://sComputerName, computer

      where sComputerName is the name of the computer-groups to access.

      In the binding string, the ",computer" parameter instructs ADSI that it is binding to a computer. ADSI exposes this data to the WinNT provider's parser so that it can skip some ambiguity-resolution queries to determine what type of object you are binding to.

   3. Bind to the IADsContainer interface.
2. Set a filter that contains "groups" using the IADsContainer::put_Filter property method. This enables you to enumerate the container and retrieve only groups.
3. Enumerate the group objects, using the IADsContainer::get__NewEnum method.
4. For each the group object, using the IADsGroup methods to read the name and members of the group.