Searching for Groups by Scope or Type in a Domain
In Windows 2000 domains, there is single class called group for all group scopes (Domain Local, Global, Universal) and types (security, distribution). The groupType attribute of the group object specifies the group type and scope.
To use type or scope to search for groups on Windows 2000 domains, use a filter that contains a matching rule for the groupType attribute. For more information about matching rules, see Search Filter Syntax.
For more information and a code example that shows how to search for groups in a domain, see Example Code for Searching for Groups in a Domain.
Example LDAP Query Strings
The following query string examples show how to construct an LDAP query string used to search for or filter specific group types.
The following query string will search for security groups. This example uses "-2147483648" as the decimal equivalent of the ADS_GROUP_TYPE_SECURITY_ENABLED flag.
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483648))
The following query string will search for universal distribution groups; that is, groups that contain the ADS_GROUP_TYPE_UNIVERSAL_GROUP flag and do not contain the ADS_GROUP_TYPE_SECURITY_ENABLED flag. This example uses "8" as the decimal equivalent of ADS_GROUP_TYPE_UNIVERSAL_GROUP and "-2147483648" as the decimal equivalent of the ADS_GROUP_TYPE_SECURITY_ENABLED flag.
(&(objectCategory=group)((&(groupType:1.2.840.113556.1.4.803:=8)(!(groupType:1.2.840.113556.1.4.803:=-2147483648)))))