JSI Tip 8070. How can I tranlate the numeric primaryGroupID into the distinguishedName of the group?


NOTE: Script revised on 05-Jun-2005.

There is a group membership limitation of 5000 users, because of the maximum size of the memberOf attribute.

By default, every user is a member of the Domain Users global group, which is generally not in the memberOf attribute, but held as a numeric value in the primaryGroupID attribute. This numeric value is the RID (Relative IDentifier) of the group that is assigned as the user's Primary group.

NOTE: If you have to add more than 5000 users to a group, use nested groups to workaround the limitation.

I have scripted primaryGroupID.bat to return the distinguishedName of the user's Primary group.

The syntax for using primaryGroupID.bat is:

call primaryGroupID pgi pgidn

where pgi is the numeric primaryGroupId and pgidn is a call directed environment variable that will contain the distinguishedName of the user's Primary group.

primaryGroupID.bat contains:

@echo off
if \{%2\}

\{\} @echo Syntax: primaryGroupID PGI PGdistinguishedName&goto :EOF if "%$PrimaryGroupId%" EQU "Y" if exist "%TEMP%\primaryGroupID.TMP" goto findit set $PrimaryGroupId=Y setlocal ENABLEDELAYEDEXPANSION if exist "%TEMP%\primaryGroupID.TMP" del /q "%TEMP%\primaryGroupID.TMP" set query=dsquery * domainroot -filter "(&(objectClass=group))" -attr objectSID distinguishedName -limit 0 For /f "Skip=1 Tokens=1*" %%a in ('%query%') do ( set pgi=%%a set group="%%b" call :parse ) endlocal goto findit :parse for /f "Tokens=1-8 Delims=-?" %%c in ('@echo %pgi%') do ( call :sid %%c %%d %%e %%f %%g %%h %%i %%j ) set pgi=%sid% set group=%group: =% set group=%group: "="% if %group% EQU "" goto :EOF if not "%group:~1,3%" EQU "CN=" goto :EOF @echo %pgi% %group%>>"%TEMP%\primaryGroupID.TMP" goto :EOF :sid set sid=%1 :sidl shift if \{%1\}

\{\} goto :EOF set sid=%1 goto sidl :findit set %2=NONE for /f "Tokens=1*" %%a in ('type "%TEMP%\primaryGroupId.TMP"^|findstr /c:"%1"') do ( set %2=%%b )



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish