Active Directory - Query Group for all machines

Question

Hi,

I'm trying to obtain a list of all Machines that are members of a known group. I have the group GUID and am constructing a query using the "memberof=" format and filtering by ObjectClass.

This works fine but doesn't return machines if the PrimaryGroup attribute of a machine is set to be the known group. In this case, that machine won't be returned.

I've found the explanation of why this is in the following link (See Joe Kaplan's response) http://www.eggheadcafe.com/software/aspnet/29773581/active-directory-query-c.aspx

Unfortunately the outlined answer is how to obtain the list of groups from a given user. I'd like to do the reverse and from a given group obtain the list of machines.

It seems that the PrimaryGroup information is stored on the Machine/User side so I'm not sure if what I want to do is even possible.

I had thought I would be able to query the TokenGroup attribute of the known group and then construct a query to return all machines that have the TokenGroup attribute set but it seems that not all groups have this attribute.

Does anyone have any ideas or suggestions? If any clarification is needed let me know!

Much appreciated,

Ben

Answer 1

Solution is to issue the following query:

(|(&(objectclass=computer)(memberof=))(&(objectclass=computer)(primarygroupid={1})))

The first part ensures that computers belonging to the group with the given guid are returned. The second part ensures that computers that have the primarygroupid set to the given primarygrouptoken (taken from the known group) are returned.

This query returns all computers for the group!