JSI Tip 7728. When you inspect the value of a user's primaryGroupID, in DSQUERY, you only see a number?


When you return a user's primaryGroupID using DSQUERY, instead of seeing a group name, like Domain Users, you see a number.

The number you are seeing is the RID (Relative IDentifier), the last string of the group SID.

I have scripted ListGroupRID.bat to display the RID and group name in your domain.

The syntax for using ListGroupRID.bat is:

ListGroupRID

The output is displayed on the CMD console, but you can pipe it to a file using the following syntax:

ListGroupRID>FileName

You can use the output in subsequent commands, as in:

for /f "Tokens=1*" %%i in ('ListGroupRID') do SomeCommand %%i %%j

In my domain, the output looks like:

 512 "Domain Admins"
 513 "Domain Users"
 514 "Domain Guests"
 515 "Domain Computers"
 516 "Domain Controllers"
 519 "Enterprise Admins"
 520 "Group Policy Creator Owners"
 544 "Administrators"
 545 "Users"
 546 "Guests"
 548 "Account Operators"
 549 "Server Operators"
 550 "Print Operators"
 551 "Backup Operators"
 552 "Replicator"
 553 "RAS and IAS Servers"
 554 "Pre-Windows 2000 Compatible Access"
 555 "Remote Desktop Users"
 556 "Network Configuration Operators"
 557 "Incoming Forest Trust Builders"
 558 "Performance Monitor Users"
 559 "Performance Log Users"
 560 "Windows Authorization Access Group"
 561 "Terminal Server License Servers"
1000 "HelpServicesGroup"
1002 "TelnetClients"
1003 "DHCP Users"
1004 "DHCP Administrators"
1106 "DnsAdmins"
1107 "DnsUpdateProxy"
1125 "IIS_WPG"
1129 "accountants"
1130 "Accounts Payables"
1132 "TST DIST"
1135 "SharePointAdmins"
1140 "OU_TEST Administrators"
ListGroupRID.bat contains:
@echo off
setlocal
if exist "%TEMP%\%ComputerName%_ListGroupRID_1.tmp" del /q "%TEMP%\%ComputerName%_ListGroupRID_1.tmp"
if exist "%TEMP%\%ComputerName%_ListGroupRID_2.tmp" del /q "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
set query=dsquery * domainroot -filter "(&(objectClass=Group))" -attr objectSid sAMAccountName -limit 0
for /f "Skip=1 Tokens=1*" %%a in ('%query%') do call :rid %%a "%%b"
sort "%TEMP%\%ComputerName%_ListGroupRID_1.tmp" /O "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
type "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
del /q "%TEMP%\%ComputerName%_ListGroupRID_1.tmp"
del /q "%TEMP%\%ComputerName%_ListGroupRID_2.tmp"
endlocal
goto :EOF
:rid
set wrk1=%1
set wrk2=%2
set wrk2=%Wrk2:  =%
set wrk2=%Wrk2: "="%
:rid1
set wrk3=
for /f "Tokens=1* Delims=-" %%x in ('@echo %wrk1%') do (
 set wrk3=%%x
 set wrk1=%%y
)
if "%wrk1%" NEQ "" goto rid1
@echo %wrk3% %wrk2%>>"%TEMP%\%ComputerName%_ListGroupRID_1.tmp"  
NOTE: See How can I convert a primaryGroupID to a group name in a script?



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish