Powered by Ed Buford and Coffee

Tag: Active Directory

Finding AD Groups with PowerShell

How to List AD Groups by type using PowerShell

The AD group type is a bit of a mystery to me. I’m not sure why Microsoft has chosen to make thing they way they have and I have to keep reminding myself they have been building Active Directory a lot longer than they have been building PowerShell.
Today one of my team asked me to see if I could pull Domain Local groups out of AD using PowerShell. I was sure this was going to be as easy as it sounds. Turns out it isn’t straight forward.

Since there isn’t a Get-ADGroupType PowerShell command I went looking at the Attributes and here’s what I found:


Even more confusing when you Open that Attribute you get something even more interesting:



So I started searching around MSDN and I came up with this chart:

Group Type                                                 Value
Global distribution group                        2
Domain local distribution group           4
Universal distribution group                  8
Global security group                               -2147483646
Domain local security group                  -2147483644
Universal security group                         -2147483640

Now that I have the value I’m looking for I can pull it out of AD:
In order to do that I need to log into Domain Controller or a Domain computer with RSAT loaded.  Then I can import the ActiveDirectory module:

Import-module ActiveDirectory

Then I can get the Group Type by using the command below

Get-ADGroup -Filter * -Properties GroupType | where {$_.GroupType -eq “-2147483644”} | FL name

If I want to change the Group Type that I’m searching for then I just change the number from the list above make sure to include the Negative on the ones that have it listed.

[sourcecode language='powershell' ]
Get-ADGroup -Filter * -Properties GroupType | where {$_.GroupType -eq "-2147483644"} | FL name


Moving FSMO Roles with PowerShell

If you’ve ever had to move FSMO roles in Active Directory to another server you know it’s not as straight forward as it could should be (At least until I found PowerShell).

Open the Active Directory Module for Windows PowerShell or open PoweShell on a machine with RSAT installed and Import-Module ActiveDirectory


Part of the FSMO roles are Domain and part are Forest so you’ll need to use 2 commands to get the roles.
To get the Domain role holders:

Get-ADDomain | select PDCEmulator,RIDMaster,InfrastructureMaster

To get the Forest role holders:

Get-ADForest | select SchemaMaster,DomainNamingMaster

Moving roles only requires one command. Change the Target-DC to the name Domain Controller you’re moving the FSMO role(s) to.

There are 5 FSMO roles include the ones you want to move.

Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator