BobH62 Posted 5 hours ago Posted 5 hours ago In a large AD forest, universal security groups have been defined, for example "CN=RD_UG_ALLusers,OU=Universal,OU=Groups,OU=XXX Global,DC=dc1,DC=dc2,DC=com". In dsa.msc this group can be found and is categorized as a universal group. I can use dsquery with normal (non-elevated) account to find this group, for example: dsquery * "dc=dc1,dc=dc2,dc=com" -scope subtree -filter "(&(objectCategory=group)(groupType=-2147483640)(name=RD_UG_ALLusers))" -s dc1.dc2.com:3268 -gc The returned value is shown as the CN value in the first line above. In the dsquery I can even get away with a much simpler command and still get a value returned: dsquery * "dc=dc1,dc=dc2,dc=com" -scope subtree -filter "(&(objectCategory=group)(name=RD_UG_ALLusers))" But I have not been able to find a combination of parameters for the _AD_GetObjectsInOu call that will return a value for this universal group. Note that I have no such difficulty with Domain local and Global security groups. Here's an AutoIT example command I'm using: Local $aGroupOUs = _AD_GetObjectsInOU("DC=dc1,DC=dc2,DC=com","(&(objectCategory='group')(groupType=-2147483640)(cn='RD_UG_ALLusers'))", 2, "cn,samaccountname", "") The above returns no values and an extended error code = 1 (Specified OU does not exist). Of courses, I've tried various filters (with or without the groupType value, an "*" for the OU value (first parameter)), and so on, all to no avail. I have made sure that the server is the global catalog server using port 3268 when opening AD. Are there any suggestions as to how to get information on universal security groups? P.S. I have been using the AD.au3 UDF for a very long time and really appreciate the functionality that it provides.
BobH62 Posted 3 hours ago Author Posted 3 hours ago I'm closing this topic as I have found a solution. Basically, in the app I'm flipping between my regular domain, and the global domain, and the flipping action was not properly setting things up in the initial go-from-regular-to-global-domain action. This was causing the AD query to fail. Thanks to everyone who may have already looked at this issue, and I'm now sorry that I brought this up. Bob argumentum 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now