Resolve PrimaryGroupID Name For A Computer

TheMSsForum.com: The Microsoft Software Forum

I am currently able to find all of the groups a user belongs to by using the
simple memberOf method. Computers are different, I can find all but the
PrimaryGroup using this method. I have tried multiple scripts to try to get
this done, but they all took to long or didn't work. I am on a tight time
limit here and any help would be greatly appreciated.
Top

Re: Resolve PrimaryGroupID Name For A Computer by Richard

Richard
Thu Dec 06 20:20:23 PST 2007

CompGuy wrote:

>I am currently able to find all of the groups a user belongs to by using
>the
> simple memberOf method. Computers are different, I can find all but the
> PrimaryGroup using this method. I have tried multiple scripts to try to
> get
> this done, but they all took to long or didn't work. I am on a tight time
> limit here and any help would be greatly appreciated.

The situation is exactly the same for user and computer objects. In both
cases the memberOf attribute does not include the "primary" group. In both
cases the value of the primaryGroupID attribute of the object indicates the
"primary" group. The value matches the primaryGroupToken attribute of the
"primary" group object. A complication is that the primaryGroupToken
attribute is a calculated attribute (operational), so the value is not saved
in Active Directory. The procedure is to retrieve the value of the
primaryGroupID of the user or computer, then find the group with a matching
value for primaryGroupToken.

I have an example VBScript program that determines the "primary" group of a
user linked here:

http://www.rlmueller.net/Get%20Primary%20Group.htm

The same program can be used for computer objects by modifying the following
line the program:

Set objUserWinNT = GetObject("WinNT://" & strUserNTName & ",user")

to be as follows:

Set objUserWinNT = GetObject("WinNT://" & strUserNTName & ",computer")

In almost all cases, the "primary" group for users is "Domain Users" and for
computers is "Domain Computers". There really is not reason to ever change
this. In many cases it is safe to assume these group memberships. If this
cannot be done, a program like the one I linked can reveal the "primary"
group.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Top

Re: Resolve PrimaryGroupID Name For A Computer by CompGuy

CompGuy
Mon Dec 10 10:04:03 PST 2007

Sorry for the late response.

I was able to get it to work for users, but not computers, It kept on
throwing errors whenever I entered in what you told me.

"Richard Mueller [MVP]" wrote:

> CompGuy wrote:
>
> >I am currently able to find all of the groups a user belongs to by using
> >the
> > simple memberOf method. Computers are different, I can find all but the
> > PrimaryGroup using this method. I have tried multiple scripts to try to
> > get
> > this done, but they all took to long or didn't work. I am on a tight time
> > limit here and any help would be greatly appreciated.
>
> The situation is exactly the same for user and computer objects. In both
> cases the memberOf attribute does not include the "primary" group. In both
> cases the value of the primaryGroupID attribute of the object indicates the
> "primary" group. The value matches the primaryGroupToken attribute of the
> "primary" group object. A complication is that the primaryGroupToken
> attribute is a calculated attribute (operational), so the value is not saved
> in Active Directory. The procedure is to retrieve the value of the
> primaryGroupID of the user or computer, then find the group with a matching
> value for primaryGroupToken.
>
> I have an example VBScript program that determines the "primary" group of a
> user linked here:
>
> http://www.rlmueller.net/Get%20Primary%20Group.htm
>
> The same program can be used for computer objects by modifying the following
> line the program:
>
> Set objUserWinNT = GetObject("WinNT://" & strUserNTName & ",user")
>
> to be as follows:
>
> Set objUserWinNT = GetObject("WinNT://" & strUserNTName & ",computer")
>
> In almost all cases, the "primary" group for users is "Domain Users" and for
> computers is "Domain Computers". There really is not reason to ever change
> this. In many cases it is safe to assume these group memberships. If this
> cannot be done, a program like the one I linked can reveal the "primary"
> group.
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>
Top