CODEWITHSUNDEEP
active-directorydirectoryservices
Chris Li
Chris Li

Reputation: 3725

How to determine whether a group is security group?

I need to check whether a group given by name is a security group in AD using C# code. I notice there's a property named "groupType" in groups properties, but I don't know what this property is used for. I checked several groups and find its value can be null, 8 or -2147483646. Is it associated with the security group type? I also find in the distinguishedName of the group, there can be "OU=Security Group" or "OU=Secuity Group with Mail Lists" blabla. Can it be a criteria to determine security group type? Thanks in advance.

Upvotes: 4

Views: 12657

Answers (3)

J Weezy
J Weezy

Reputation: 3957

With all due to respect to Matt, the better answer should come from Microsoft:

https://msdn.microsoft.com/en-us/library/ms675935(v=vs.85).aspx

The values are the same, but should still come from the creator. The * security group is derived from adding the security group value of -2147483648 to the * distribution group value.

https://blogs.technet.microsoft.com/heyscriptingguy/2004/12/21/how-can-i-tell-whether-a-group-is-a-security-group-or-a-distribution-group/

Upvotes: 3

Chris Li
Chris Li

Reputation: 3725

You can use "Security Group" as a query condition. But it's not so trustful based on how your company set up it. It's better to have a OU entry for all security groups and use that entry directly.

Upvotes: 1

Matt
Matt

Reputation: 1005

From http://adsearch-winzero.blogspot.com/2006/04/object-group-attribute-grouptype.html

The groupType attribute returns the type of group. However the returned value is in RAW format.

...

-2147483646 ~ Global Security Group
-2147483644 ~ Local Security Group
-2147483643 ~ BuiltIn Group
-2147483640 ~ Universal Security Group

2 ~ Global Distribution Group
4 ~ Local Distribution Group
8 ~ Universal Distribution Group

Upvotes: 12

Related Questions