AD plugin and universal group

thechaos · ‎10-04-2011

Hi,

short question regarding the creation of groups using the AD plugin. Is it possible to create an universal group ?, the createUserGroup creates a Global group. (The same question for a domain local group)

Regards

Thomas

ppanicherski · ‎10-10-2011

By using "createUserGroup" WF you will be able to create only UserGroups of type "Security Group - Global". I think that this can be workarounded by later setting the attribute "groupType" of the UserGroup object to(see table bellow):

Group Type	Constant	Value
Global group	ADS_GROUP_TYPE_GLOBAL_GROUP	&H2
Domain local group	ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP	&H4
Universal group	ADS_GROUP_TYPE_UNIVERSAL_GROUP	&H8
Security group	ADS_GROUP_TYPE_SECURITY_ENABLED	&H80000000

However when I tried this I got an AD error probably stating insufficient priveleges.

The code I use is:

userGroup.setAttribute("groupType", "&H4");

The error I got was:

Unable to remove attribute: Error while modifying element: [LDAP: error code 21 - 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece ]

BrettK1 · ‎02-09-2022

10 years late, but relevant still for me!

First, the values you'll want to use are listed here:
https://devblogs.microsoft.com/scripting/how-can-i-tell-whether-a-group-is-a-security-group-or-a-dis...

2	Global distribution group
4	Domain local distribution group
8	Universal distribution group
-2147483646	Global security group
-2147483644	Domain local security group
-2147483640	Universal security group

Secondly, you can't convert directly from 'Global' to 'Domain Local', you have to make a pit-stop at 'Universal' in between.
https://social.technet.microsoft.com/Forums/windows/en-US/3cc3d71b-ca71-4d85-9a86-93579dae9fd4/conve...

userGroup.setAttribute('groupType', '-2147483640');

userGroup.setAttribute('groupType', '-2147483644');

All

AD plugin and universal group