4

Identifying Active Directory built-in groups with PowerShell

Built-in groups are predefined security groups, defined with domain local scope, that are created automatically when you create an Active Directory domain. You can use these groups to control access to shared resources and delegate specific domain-wide administrative roles. Built-in groups are located under the Builtin container. One way to list all built-in groups is to get all groups from the Builtin container.

PS> Get-ADGroup -SearchBase 'CN=Builtin,DC=domain,DC=com' -Filter * |
Format-Table Name,GroupScope,GroupCategory,SID

Name                                GroupScope GroupCategory SID
----                                ---------- ------------- ---
Network Configuration Operators    DomainLocal      Security S-1-5-32-556
Incoming Forest Trust Builders     DomainLocal      Security S-1-5-32-557
Distributed COM Users              DomainLocal      Security S-1-5-32-562
Guests                             DomainLocal      Security S-1-5-32-546
Performance Log Users              DomainLocal      Security S-1-5-32-559
Performance Monitor Users          DomainLocal      Security S-1-5-32-558
Pre-Windows 2000 Compatible Access DomainLocal      Security S-1-5-32-554
Terminal Server License Servers    DomainLocal      Security S-1-5-32-561
Users                              DomainLocal      Security S-1-5-32-545
Windows Authorization Access Group DomainLocal      Security S-1-5-32-560
Remote Desktop Users               DomainLocal      Security S-1-5-32-555
Replicator                         DomainLocal      Security S-1-5-32-552
Print Operators                    DomainLocal      Security S-1-5-32-550
Administrators                     DomainLocal      Security S-1-5-32-544
Backup Operators                   DomainLocal      Security S-1-5-32-551
Account Operators                  DomainLocal      Security S-1-5-32-548
Server Operators                   DomainLocal      Security S-1-5-32-549
IIS_IUSRS                          DomainLocal      Security S-1-5-32-568
Cryptographic Operators            DomainLocal      Security S-1-5-32-569
Event Log Readers                  DomainLocal      Security S-1-5-32-573
Certificate Service DCOM Access    DomainLocal      Security S-1-5-32-574
Power Users                             Global      Security S-1-5-21-33041744-1045339714-1466953526-11229

Although groups in the Builtin container cannot be moved to another location, other group types are found in that location. From the above output you can see that the ‘Power Users’  group is not a ‘pure’ built-in group. Another way to list built-in groups is to filter them by a portion of their SID value:

PS> Get-ADGroup -ResultSetSize $null -Filter * -Properties GroupType |
Where-Object {$_.SID -like "S-1-5-32-*"} |
Format-Table Name,GroupScope,GroupCategory,GroupType,SID

Name                                GroupScope GroupCategory   GroupType SID
----                                ---------- -------------   --------- ---
Network Configuration Operators    DomainLocal      Security -2147483643 S-1-5-32-556
Incoming Forest Trust Builders     DomainLocal      Security -2147483643 S-1-5-32-557
Distributed COM Users              DomainLocal      Security -2147483643 S-1-5-32-562
Guests                             DomainLocal      Security -2147483643 S-1-5-32-546
Performance Log Users              DomainLocal      Security -2147483643 S-1-5-32-559
Performance Monitor Users          DomainLocal      Security -2147483643 S-1-5-32-558
Pre-Windows 2000 Compatible Access DomainLocal      Security -2147483643 S-1-5-32-554
Replicator                         DomainLocal      Security -2147483643 S-1-5-32-552
Print Operators                    DomainLocal      Security -2147483643 S-1-5-32-550
Administrators                     DomainLocal      Security -2147483643 S-1-5-32-544
Backup Operators                   DomainLocal      Security -2147483643 S-1-5-32-551
Account Operators                  DomainLocal      Security -2147483643 S-1-5-32-548
Server Operators                   DomainLocal      Security -2147483643 S-1-5-32-549
Windows Authorization Access Group DomainLocal      Security -2147483643 S-1-5-32-560
Terminal Server License Servers    DomainLocal      Security -2147483643 S-1-5-32-561
Users                              DomainLocal      Security -2147483643 S-1-5-32-545
Remote Desktop Users               DomainLocal      Security -2147483643 S-1-5-32-555
Cryptographic Operators            DomainLocal      Security -2147483643 S-1-5-32-569
IIS_IUSRS                          DomainLocal      Security -2147483643 S-1-5-32-568
Event Log Readers                  DomainLocal      Security -2147483643 S-1-5-32-573
Certificate Service DCOM Access    DomainLocal      Security -2147483643 S-1-5-32-574

This method is not the most efficient one because it first gets ALL groups from the directory (depending on the size of your environment that can take some time to finish) and only then filters them by their SID. We could try and filter them using the Filter parameter (e.g Get-ADGroup -Filter {SID -like “S-1-5-32-*”}) but filtering by SID on the server is not supported and doesn’t yield a result.

So, how can we get all the groups in an efficient manner and make sure we get built-in groups only? First, let’s find out what makes a group a built-in group. We will investigate the groupType value of the groups (see output above). The groupType value is a combination of flags that determine the type of the group.

Symbolic name Value
GROUP_TYPE_BUILTIN_LOCAL_GROUP 0×00000001
GROUP_TYPE_ACCOUNT_GROUP 0×00000002
GROUP_TYPE_RESOURCE_GROUP 0×00000004
GROUP_TYPE_UNIVERSAL_GROUP 0×00000008
GROUP_TYPE_APP_BASIC_GROUP 0×00000010
GROUP_TYPE_APP_QUERY_GROUP 0×00000020
GROUP_TYPE_SECURITY_ENABLED 0×80000000

The groupType AD property returns a numeric value but using ADSI Edit (adsiedit.msc) you can get a visual representation of the flags.

groupType

As you can see the Administrators group type is marked with three attributes:  GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_RESOURCE_GROUP, and GROUP_TYPE_SECURITY_ENABLED. These attributes translates to the flags in the figure above.

PS> $GROUP_TYPE_BUILTIN_LOCAL_GROUP = 0x00000001
PS> $GROUP_TYPE_RESOURCE_GROUP = 0x00000004
PS> $GROUP_TYPE_SECURITY_ENABLED = 0x80000000
PS> $groupType = $GROUP_TYPE_BUILTIN_LOCAL_GROUP + $GROUP_TYPE_RESOURCE_GROUP + $GROUP_TYPE_SECURITY_ENABLED
PS> $groupType
-2147483643

PS> '0x{0:x}' -f $groupType
0x80000005

In the case of built-in groups, they all have the same attributes applied so you could list them using the Filter parameter with the following command:

Get-ADGroup -Filter {GroupType -eq -2147483643}

That’s much more efficient than using a Where-Object command but it gets us all groups with all of those attributes defined together. If you want to test if a group has the  BUILTIN_LOCAL_GROUP flag turned on, you can do that using the bitwise AND (-bAnd) operator.

Get-ADGroup -Filter {GroupType -band 1}
Filed in: Articles, Online Only Tags: , , , ,

4 Pingbacks/Trackbacks

4 Responses to "Identifying Active Directory built-in groups with PowerShell"

Leave a Reply

Submit Comment

© 2014 PowerShell Magazine. All rights reserved. XHTML / CSS Valid.
Proudly designed by Theme Junkie.
%d bloggers like this: